Threat advisories


4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top two cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) APT15 Resurfaces with New Exploitation Tools

A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon. The Group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.
Attack Description:
The new malware, MirageFox is based on a string found in one of the components of Mirage malware and shares code with both Mirage and Reaver. Experts have found significant similarities to the original Mirage malware, including the code used for a remote shell and the function for decrypting command and control (C&C) configuration data.
The initial infection vector is still unclear, however, as per the submission on Virus Total and code review by the researchers, MirageFox first collects information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and lies in wait for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s Remote Access Tools (RATs).
The malware appears to abuse a legitimate McAfee binary to load malicious processes through DLL hijacking. APT15 has been known to use DLL hijacking in its campaigns.

  • Keep operating systems and software up-to-date with the latest patches.
  • Maintain up-to-date antivirus software, and scan all software downloaded from the internet before executing.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications and apply the principle of least privilege to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Scan for and remove suspicious email attachments.
  • Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.
2) LuckyMouse Campaign Delivers Country-Level Watering Hole Attacks

National data centers in Central Asia are being targeted as cybercriminals have been going after a wide range of government resources. They gain access by inserting malicious scripts in official government websites to conduct watering hole attacks.
It is suspected that Chinese speaking threat actors EmissaryPanda and APT27 are behind this campaign dubbed ‘LuckyMouse’. It is believed one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.
Attack Description:
The initial module drops three files- a legitimate Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.
The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading wherein it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.
This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory. The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT).
As a result, the websites were compromised to redirect users to instances of both ScanBox and Beef. Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.

  • Apply regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
  • Ensure a secure configuration of web servers. All unnecessary services and ports should be disabled or blocked or restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
  • Employ user input validation to restrict local and remote file inclusion vulnerabilities.
  • Conduct regular system and application vulnerability scans to identify areas of risk.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Shaikh Azhar, Cyber Security Analyst at Help AG

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh