The Kaspersky Lab Global Research and Analysis Team (GReAT) has discovered several infections from a previously unknown Trojan, which is most likely related to the infamous Chinese-speaking threat actor – LuckyMouse.

 

The most peculiar trait of this malware is its hand-picked driver, signed with a legitimate digital certificate, which has been issued by a company developing information security-related software.

 

The LuckyMouse group is known for highly targeted cyberattacks on large entities around the world. The group’s activity is posing a danger to whole regions, including South-Eastern and Central Asia, as their attacks seem to have a political agenda.

 

Judging by victim profiles and the group’s previous attack vectors, Kaspersky Lab researchers think that the Trojan they’ve detected might have been used for nation-state backed cyber-espionage.
The Trojan discovered by Kaspersky Lab experts infected a target computer via a driver built by the threat actors. This allowed the attackers to execute all common tasks such as command execution, downloading and uploading files, and to intercept network traffic.

 

The driver turned out to be the most interesting part of this campaign. To make it trustworthy, the group apparently stole a digital certificate, which belongs to an information security-related software developer and used this to sign malware samples. This was done in an attempt to avoid being detected by security solutions, as a legitimate signature makes the malware look like legal software.

 

Another noteworthy feature of the driver is that despite Luckymouse’s ability to create its own malicious software, the software used in the attack appeared to be a combination of publicly available code samples from the public repositories and custom malware.

 

Such simple adoption of a ready-to-use third-party code, instead of writing original code, saves developers time and makes attribution more difficult.

 

“When a new LuckyMouse campaign appears, it’s almost always around the same time as the leadup to a high-profile political event, and the timing of an attack usually precedes world leader summits. The actor isn’t too worried about attribution – because they are now implementing third-party code samples into their programs, it’s not time-consuming for them to add another layer to their droppers, or to develop a modification for the malware and still remain untraced,” notes Denis Legezo, Security Researcher at Kaspersky Lab.

 

Kaspersky Lab has previously reported on the LuckyMouse actor attacking a national data center to organize a country-level waterholing campaign.

 

How to protect yourself:  

  • Do not automatically trust the code running on your systems. Digital certificates do not guarantee the absence of backdoors.
  • Use a robust security solution, equipped with malicious-behavior detection technologies that enable even previously unknown threats to be caught.
  • Subscribe your organization’s security team to a high quality threat intelligence reporting service in order to get early access to information on the most recent developments in the tactics, techniques and procedures of sophisticated threat actors.

 

Read the full version on Securelist.com.


RECOMMENDED ARTICLE FOR TECHWORLD


 
Philips Showcases Impressive Monitors at National Retail Conference
Techworld Date Posted: 25 August 2018 4:55 PM | 527 Views
Philips, a well-known brand for making high-performance and innovative display solutions for home and businesses, was at the recently concluded National Retail Conference (NRCE) Philippines that was held at SMX Convention Center, Pasay City,.... See More
 
Philips Showcases Impressive Monitors at National Retail Conference
Techworld Date Posted: 4:55 PM | 527 Views
Philips, a well-known brand for making high-performance and innovative display solutions for home and businesses, was at the recently concluded National Retail Conference (NRCE) Philippines that was held at SMX Convention Center, Pasay City,...See More

 
Transcend Expands Personal Cloud Possibilities with StoreJet Cloud 110N/210N Series
Techworld Date Posted: 20 July 2018 11:05 AM | 351 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, today announced two new additions to its StoreJet Cloud family: the 1-bay SJC110N and 2-bay SJC210N.. See More
 
Transcend Expands Personal Cloud Possibilities with StoreJet Cloud 110N/210N Series
Techworld Date Posted: 11:05 AM | 351 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, today announced two new additions to its StoreJet Cloud family: the 1-bay SJC110N and 2-bay SJC210N.See More

 
HMD Introduces Five New Nokia Phones
Techworld Date Posted: 27 February 2018 4:42 PM | 224 Views
HMD Global, the home of Nokia phones, announced four new additions to its award-winning portfolio of Android smartphones – Nokia 8 Sirocco, Nokia 7 Plus, new Nokia 6 and Nokia 1.. See More
 
HMD Introduces Five New Nokia Phones
Techworld Date Posted: 4:42 PM | 224 Views
HMD Global, the home of Nokia phones, announced four new additions to its award-winning portfolio of Android smartphones – Nokia 8 Sirocco, Nokia 7 Plus, new Nokia 6 and Nokia 1.See More

 
Parental Police: Being ‘bad cop’ Isn’t Shielding Kids from Online Threats
Techworld Date Posted: 25 April 2018 4:45 PM | 323 Views
The risks associated with growing up in an online world are not only giving parents a headache, but the time their children are spending online is a real cause for concern. As a result,.... See More
 
Parental Police: Being ‘bad cop’ Isn’t Shielding Kids from Online Threats
Techworld Date Posted: 4:45 PM | 323 Views
The risks associated with growing up in an online world are not only giving parents a headache, but the time their children are spending online is a real cause for concern. As a result,...See More

 
Kaspersky Lab Detects Roaming Mantis Attacking Smartphones in Asia via DNS Hijacking
Techworld Date Posted: 19 April 2018 4:25 PM | 998 Views
Kaspersky Lab researchers have discovered a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting smartphones, mostly in Asia. The campaign, dubbed Roaming Mantis remains highly active and is.... See More
 
Kaspersky Lab Detects Roaming Mantis Attacking Smartphones in Asia via DNS Hijacking
Techworld Date Posted: 4:25 PM | 998 Views
Kaspersky Lab researchers have discovered a new Android malware distributed through a domain name system (DNS) hijacking technique and targeting smartphones, mostly in Asia. The campaign, dubbed Roaming Mantis remains highly active and is...See More

 
Bulk Messaging Malware in Facebook Messenger
Techworld Date Posted: 7 September 2017 1:42 PM | 213 Views
Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often,.... See More
 
Bulk Messaging Malware in Facebook Messenger
Techworld Date Posted: 1:42 PM | 213 Views
Some time ago, an antivirus expert from our Global Research and Analysis Team, David Jacoby, discovered multiplatform malware that was distributed through Facebook Messenger. A few years ago, similar outbreaks were occurring quite often,...See More

 
6 Security Tips for Freelancers
Techworld Date Posted: 16 October 2018 3:21 PM | 114 Views
Cybercriminals love people in HR departments, because their job includes opening files that come from unknown sources. See More
 
6 Security Tips for Freelancers
Techworld Date Posted: 3:21 PM | 114 Views
Cybercriminals love people in HR departments, because their job includes opening files that come from unknown sourcesSee More

 
F5 Delivers Application Services for a Multi-Cloud World
Techworld Date Posted: 12 July 2017 2:12 PM | 310 Views
MANILA, PHILIPPINES – F5 Networks (NASDAQ: FFIV) announces the availability of offerings designed to provide consistent application services in multi-cloud environments—giving companies greater deployment flexibility, more effective security, and faster time to market.. See More
 
F5 Delivers Application Services for a Multi-Cloud World
Techworld Date Posted: 2:12 PM | 310 Views
MANILA, PHILIPPINES – F5 Networks (NASDAQ: FFIV) announces the availability of offerings designed to provide consistent application services in multi-cloud environments—giving companies greater deployment flexibility, more effective security, and faster time to market.See More

 
HyperX Join Forces with GPL Summer 2017
Techworld Date Posted: 24 August 2017 10:54 AM | 221 Views
HyperX, the gaming division of Kingston Technology, today announce the title sponsorship of the Garena Premier League 2017 Summer Split, the biggest League of Legends tournaments in Southeast Asia. Elite teams from Thailand, Indonesia,.... See More
 
HyperX Join Forces with GPL Summer 2017
Techworld Date Posted: 10:54 AM | 221 Views
HyperX, the gaming division of Kingston Technology, today announce the title sponsorship of the Garena Premier League 2017 Summer Split, the biggest League of Legends tournaments in Southeast Asia. Elite teams from Thailand, Indonesia,...See More

 
One Year On: Filipino Social Enterprises Better Equipped to Improve Quality of Education Following Completion of SAP Social Sabbatical Program
Techworld Date Posted: 14 July 2017 2:22 PM | 265 Views
Following the completion of SAP Social Sabbatical Program in the Philippines last year, two participating social enterprises, Teach for the Philippines and Silid Aralan (SAI), reported that their organizations are better able to fulfill.... See More
 
One Year On: Filipino Social Enterprises Better Equipped to Improve Quality of Education Following Completion of SAP Social Sabbatical Program
Techworld Date Posted: 2:22 PM | 265 Views
Following the completion of SAP Social Sabbatical Program in the Philippines last year, two participating social enterprises, Teach for the Philippines and Silid Aralan (SAI), reported that their organizations are better able to fulfill...See More


Power by

Download Free AZ | Free Wordpress Themes