New Wave of Mikroceen RAT Backdoors Target Asian Countries

State-sponsored APTs can be often seen targeting government and private organizations using state-of-art tools and sophisticated attack vectors. This time again, a continuously evolving backdoor RAT, named Mikroceen, has been used in various targeted campaigns against both public and private subjects since late 2017. Attacks using the samples were also observed in other regions, indicating that the group is still running its operations using the same toolset.

What happened

An advanced persistent threat (APT) group attempted to infiltrate a governmental institution and few other corporate networks.
  • In May 2020, attackers used a set of backdoors collectively referred to by the name Mikroceen. The individual backdoors were identified by the names “sqllauncher.dll”, “logon.dll,” and “logsupport.dll”.
  • The Mikroceen backdoors were found targeting several high-profile organizations in the telecom and gas industries, and governmental entities in the Central Asian region. These victims were not private individuals, but rather endpoints in corporate networks.
  • The backdoors paved the way for the deployment of other malware such as Gh0st RAT and Mimikatz. Also, the hacker relied on Windows Management Instrumentation (WMI) to set strict proxy security and to access local resources.
  • In this campaign, the majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past. A GoDaddy registrar was also used early on in the campaign, but those servers were soon removed.

The connection with previous attacks

The samples analyzed by ESET and Avast contain links to malware samples and campaigns in the past few campaigns. All these operations were linked through the use of common toolsets that share similar code.
  • There were several connecting dots between the latest campaign and three previously published intel reports: Kaspersky’s Microcin targeting Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government, and Checkpoint’s Vicious Panda against the Mongolian public sector.
  • The latest sample files (the COVID campaign from 2020) have several correlations (code similarities) to the Microcin sample from 2017, the BYEBY sample from 2017, and Vicious Panda.
  • The analysis of the used toolsets, especially the use of the RTF weaponizer in the infection vector, connects this campaign to an APT group from China. The group is suspected to be behind attacks active in Mongolia, Russia, and Belarus. The targeted companies and institutions, as well as the malware code analysis point to an APT group.

Stay safe

Besides having all effective countermeasures (like firewalls, antivirus and IDS/IPS), organizations should consider maintaining and sharing the actionable intelligence about advanced threats, like malicious file hashes, IP addresses, domains, URLs, and TTPs, to ensure timely identification and collective proactive remediation.