Kaspersky Lab detects cyber espionage campaign against industrial enterprises

IT NewsMarket newsSecurity

Kaspersky Lab detects cyber espionage campaign against industrial enterprises

Ekaterina Alexandrova | 09.10.2020

A set of malicious modules MontysThree has been detected, which has existed since at least 2018 and is designed to target industrial enterprises.

It uses techniques to help avoid detection, including communicating with the command and control server via public clouds and steganography.

MontysThree consists of four modules. The attack begins by distributing the bootloader via phishing through self-extracting archives. The file names in these archives can be associated with employee contact lists, technical documents, or medical test results. The loader decrypts the main malicious module from the steganographic bitmap. A specially developed algorithm is used for this.

The main malicious module uses several encryption algorithms to avoid detection, mainly RSA for communication with the control server and for decrypting configuration data. This XML-based data describes the malware’s tasks: searching for documents with specified extensions, in specified directories, and on removable media. This information revealed that MontysThree operators are interested in Microsoft Office and Adobe Acrobat documents.

In addition, the modules can take screenshots of the desktop, determine if a victim is of interest to operators by analyzing its network and local settings, etc. The information found is encrypted and transferred to public cloud services (Google Drive, Microsoft One Drive, Dropbox), through which new files are received.

MontysThree also uses a simple method for pinning to an infected system – the Windows Quick Launch. Users, unknowingly, launch the primary malware module every time they open legitimate applications, such as browsers, using this panel.

The experts did not find any similarities between this malicious code and other targeted campaigns.

“Attacks using MontysThree tools stand out not only for targeting industrial enterprises (although not unique, they are not the most popular targets for targeted attacks), but also for their combination of advanced and amateur tactics and methods. The level of technical solutions in this set of tools varies markedly. MontysThree developers use modern secure cryptographic standards and customized steganography. The level of development is not as high as that of large APT players, but the authors have invested a lot of effort in creating this set of tools and continue to develop it, so we assume that they have well-defined goals and this campaign is not short-term, “comments Denis Legezo, Senior Cybersecurity Expert at Kaspersky Lab.

information security, cyber espionage, corporate information security

Kaspersky lab | Kaspersky Lab

About: Morozov Dmitry

My specialisation is software engineer. I am 35 years old and have been working in the IT field for over 15 years. I have accumulated experience in programming, project management, training and administration.