A new toolset has been uncovered that has been leveraged in cyber espionage campaigns against industrial targets since 2018. The threat actor, dubbed “MontysThree” by Kaspersky researchers who discovered the campaign, uses an array of techniques to evade detection, including hosting its communications with the control server on public cloud services and hiding the main malicious module using steganography.
The researchers say that cyber espionage attacks against industrial holdings are far more unusual than campaigns against government entities, diplomats, or telecom operators.
According to Kaspersky, a malware deployed by the threat actor is comprised of four modules, including a loader which is spread using RAR SFX files (self-extracted archives) containing names related to employees’ contact lists, technical documentation, and medical analysis results to trick employees into downloading the files. To ensure the malware remains undetected on the system the module uses steganography, a technique that allows malicious actors to conceal the fact that data is being exchanged.
In this case the main payload is disguised as a bitmap (a format for storing digital images) file. Upon receiving a specific command, the loader will use a custom-made algorithm to decrypt the content from the pixel array and run the malicious payload.
“The main malicious payload uses several encryption techniques of its own to evade detection, namely the use of an RSA algorithm to encrypt communications with the control server and to decrypt the main “tasks” assigned from the malware,” the researchers said.
According to Kaspersky, the MontysThree malware is designed to specifically target Microsoft and Adobe Acrobat documents. Its functionality also includes the ability to capture screenshots, gather info about network settings, host name and other data that helps the threat actor determin ..
Support the originator by clicking the read the rest link below.
