Since there are a lack of overlapping TTP’s in this campaign with other known campaigns, attribution of the threat actor goes to a new actor. The security researchers attribute this to be a Russian speaking threat actor targeting Cyrillic Windows version, not a Chinese threat actor. There is also use of Chinese false flags, emails used for cloud server authentication that were likely made to look Chinese. With the use of custom steganography (hiding files and data within files) and encryption (custom XOR based, 3DES and RSA) for encryption and decryption communications, MT3 seeks out directories that exist only on Cyrillic (Slavic, Turkic, Mongolic and Iranic-speaking countries) localized Windows versions. MontysThree searches for specific MS Office and Adobe Acrobat files stored in document directories and removable media. There has been an increase of malware in recent years that is developed like commercial software, with the intention of prolonged use and maintenance.
#Use of steganography in cyber espionage software
Code modularity is a real-world practice that exists in the software development life cycle SDLC, promotes the reuse, replacement, and upgrading of modules to make code development more efficient. The malware contains modules for persistence, bitmap with steganography, decryption of configuration tasks, execution, and network communication with legitimate public cloud services. The research team noticed no similarities at the code level with other attack infrastructures or TTP, thus considering it to be a new threat actor.
In Summer 2020, Kaspersky ‘SecureList’ uncovered a multi-module C++ toolset used in a highly targeted industrial espionage attack dating back to 2018. MontysThree – Industrial Espionage with Steganographyįriday, October 9th, 2020 | Cyber Threats
0 kommentar(er)
