Kaspersky researchers have discovered a series of targeted attacks against industrial systems, starting in 2018.
Although much rarer than attacks on diplomats and political actors, these espionage campaigns can prove to be really dangerous.
The toolkit used – originally called MT3 by malware authors and classified by Kaspersky as “MontysThree” – uses a variety of techniques to evade detection, including hosting communications with the cloud server control server and hiding the main module. malware using steganography.
How does MontysThree work?
In order to carry out its espionage actions, MontysThree installs a malware program consisting of four modules.
The first – the uploader – is initially deployed using SFX RAR files (archives with automatic unzipping), which contain names related to employee contact lists, technical documentation, or medical test results, to encourage employees to download files – a common technique. spear phishing.
The loader makes sure, first of all, that the malware is not detected by the system, and to do this, it uses a technique known as steganography.
Steganography is used to hide the fact that data is being changed. In the case of MontysThree, the main malware module is disguised as a bitmap file (a format for storing digital images).
If the correct command is entered, the loader will use a custom algorithm to decrypt the contents of the pixel array and run the Malware code.
The main module uses several proprietary encryption techniques to evade detection, namely the use of an RSA algorithm to encrypt communications with the control server and to decrypt the main “tasks” assigned by the malware.
These include searching for documents with specific extensions in specific directories. MontysThree is designed to specifically target Microsoft and Adobe Acrobat documents.
It can also take screenshots and capture the “fingerprint” of the target – that is, gather information about network settings, host names, etc. – to see if it is of interest to attackers.
The collected information and other communications with the control server are then hosted on public cloud services such as Google, Microsoft and Dropbox.
This makes communication traffic difficult to detect as malicious, and because no antivirus blocks these services, it ensures that the control server can execute uninterrupted commands.
MontysThree also uses a simple method to get persistence on the infected system – a modifier for Windows Quick Launch.
Unbeknownst to them, users launch the original malware module themselves, every time they run legitimate applications, such as browsers, when using the Quick Launch toolbar.
Kaspersky failed to find similarities with other known APTs in malicious code or infrastructure.
MontysThree is interesting not only because it targets industrial systems, but also because of the combination of sophisticated TTPs with some “amateur” level ones.
In general, sophistication varies from module to module, but cannot be compared to the level used by the most advanced APTs.
However, it uses strong cryptographic standards and does incorporate some interesting technical decisions, including custom steganography.
Perhaps the most important aspect is that the attackers have made significant efforts to develop the MontysThree toolkit, suggesting that they are determined for their goals – and that this will not be a short-lived campaign, “said Denis Legezo, senior security researcher on the Team. Kaspersky GReAT Global Research and Analysis.
Kaspersky experts recommend some protection measures to prevent such cyber attacks, including training cybersecurity staff or providing access to information and solutions for detecting, investigating and remedying cyber incidents.