Chinese cyberespionage hacker group APT15 deploys new MirageFox malware

Chinese government-linked hacker group APT15 has been found using a new malware called MirageFox that seems to be an upgraded version of an old remote access tool. The cyberespionage group - also known as RoyalAPT, Vixen Panda, Playful Dragon and Ke3change - has previously launched attacks against various targets worldwide including government contractors, military organizations, the oil sector and more.

According to security researchers at Intezer, APT15’s MirageFox is a new version of their older Mirage RAT that first appeared in 2012. Similar to other malware samples created by APT15, MirageFox can harvest information such usernames, CPU information and more. The malware then sends the stolen data to the C2 server, opens up a backdoor and waits for a command.

“There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries,” Intezer researchers said. “As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.”

APT15 is known for “living off the land”, which means the hackers use readily available online tools and software to carry out their attacks. Once the hackers have infiltrated the victims’ networks, they tailor their malware specifically to attack targets.

Intezer researchers said MirageFox has only been recently uploaded to VirusTotal and has very few detections so far. Another Chinese-linked malware called Reaver, which appears to share minimal code with MirageFox, also has very few detections on VirusTotal.

“The MirageFox binaries export a function called dll_wWinMain, the name of an export in vsodscpl.dll, a module by McAfee that is loaded by a few of their executables that import and call this function,” Intezer researchers wrote in a blog. “This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process. DLL hijacking techniques have been seen in the past with the APT15 group.”

Discovery of the new MirageFox campaign comes at the heels of an attack against a US Navy contractor, which saw hackers steal over 600 GB of highly sensitive and classified military data on submarine warfare. The attack is believed to have been perpetrated by Chinese-linked cyberespionage hackers. However, the Chinese Embassy has reportedly denied any knowledge of the attack, stating that it strongly upholds cybersecurity.