A Remote Access Trojan was found to be attacking governments and high-profile companies in Central Asia since 2017. This was technically detailed by security researchers from ESET along with Avast, after many other researchers. The RAT, named as Mikroceen by ESET, can plant backdoors and gain deep footholds into the network, which can be later used for data-stealing or other exploitations.
Central Asian Countries as Target
The targets of this RAT are popular telecommunications and gas industries, both private and public companies. Researchers say it’s even existing in a few governments’ networks like Russia, Belarus, and Mongolia. This trojan was first explained by Kaspersky as Microcin in 2017, followed by Palo Alto Networks as BYEBY and by Checkpoint as Vicious Panda. This was now studied in detail by Kaspersky and Avast researchers.
They admit their inability to know the malware’s tools gained access into the network but explained how it worked after attaining access. Firstly, the attacker with the below code will install a RAT on the target system and tries to crawl laterally throughout the network. This was done using several tools like;
Using Various Tools To Spread
Mimikatz is an open-source tool for bypassing Windows authentication schemes and dump login credentials from memory. While this was developed for red teams as cybersecurity researchers for good cause, it’s often used for exploitations by attackers. Here, it was used to deliver a dropper as installer.exe or Yokel64.exe, which further brings the main payload and an indicative external DLL as mktz64.dll.
Via Windows Management Instrument
Further, attackers used the legitimate Windows tool WMI to spread across the hosting network. Initially, it prepares a remote console to target machine, through the <ComputerName>, <UserName> and
<Password>. These will be obtained using WMI. Now, proxy security is set to let the attacker’s C2 to gain deep access into the victim’s system resources, and eventually create a process according to the attacker’s parameters.
The Gh0st RAT
This trojan is used to connect to a hacker domain, which revealed much about this hack. This RAT will be found as rastls.dll in compromised PC and tries to connect to https://yuemt.zzux[.]com:443 domain. It’s IP address was resolved to locate the server somewhere in China, but still, it’s a kind of proxy.
Researchers have even found the server-side client, where the UI seemed too old. But hackers, in this case, using SSL connections, using a variety of tools including the legitimates as from Windows and several layers of obfuscation are appreciated for hiding better. While they’re actively targeting companies and governments in Central Asia, researchers are yet to find out how exactly they’re gaining a foothold into targeted machines in the first place.