Chinese-speaking APT LuckyMouse uses malicious NDISProxy drivers to distribute Trojans

• LuckyMouse - also known as EmissaryPanda and APT27 - has been using certificates belonging to Chinese software developer LeagSoft.
• The threat group Windows network filtering driver NDISProxy in both 32- and 64-bit versions signed with the legitimate digital certificates
  

LuckyMouse, a Chinese-speaking threat group, has returned with a new campaign that leverages NDISProxy drivers and legitimate certificates belonging to a legitimate Chinese IT firm to spread Trojans. Kaspersky Lab researchers said the campaign has been targeting several Central Asian governments' entities in late March via compromised networks.

The campaign appears to be highly targeted and linked to a recent "high-level meeting," researchers wrote in a blog post.

LuckyMouse - also known as EmissaryPanda and APT27 - has been using certificates belonging to Chinese software developer LeagSoft, a software firm located in Shenzhen, Guangdong, that seem to be stolen.

In the new campaign, the group exploits the Windows network filtering driver NDISProxy in both 32- and 64-bit versions that are signed with the legitimate digital certificates. The malicious NDISProxy tool is used to inject the lsass.exe system process memory with a Trojan using Shellcode.

The malicious payload consists of three modules including a custom C++ installer to create a Windows autorun service for persistency and a NDISProxy driver that decrypts and injects the Trojan into memory and filters port 3389 traffic to hide the Trojan's malicious activities and evade detection. The third module is a last-stage C++ remote access Trojan (RAT) which acts as a HTTPS server and works together with the driver.

"These modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to communicate with an external C2 if the new infected host only has a LAN IP," researchers said. "Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers."

The Trojan itself is a fully-featured RAT that is capable of command execution, keylogging as well as downloading and uploading files.

"This Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler," researchers said. "This tool is publicly available and popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands."

Although researchers have noted that attribution is difficult, Kaspersky believes that politics are a major motive in this campaign.

"This campaign appears to demonstrate once again LuckyMouse's interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization," researchers said. The security firm has notified LeagSoft of the issue via CN-CERT as well.