Pierluigi Paganini
January 06, 2017
The APT MM Core malware has been in the wild since April 2013 when it was spotted for the first time by experts at FireEye.
The malware researchers dubbed the first release of the malware “TROJAN.APT.BANECHANT” (2.0-LNK), it is mainly a backdoor used by threat actors to steal information from the victims. The malware was used to target the governments of Middle East and Central Asia.
BaneChant detects multiple mouse clicks before starting its activity, this behavior was implemented in the attempt to evade sandboxes.
BaneChant callback also goes to a legitimate URL, the malware reaches a legitimate URL shortening service that then redirects the communication to the CnC server. In this way, the authors prevent security solutions from blacklisting the command and control (C&C) servers.
The malware requires an Internet connection for malicious code to be downloaded directly into the memory and executed.
A new version of the MM Core malware dubbed “StrangeLove, tracked as “2.1-LNK,” was discovered in June 2013 by researchers at Context Information Security. The news version was characterized by some modifications in the downloader component. Threat actors used StrangeLove to target entities in the Middle East.
Back to the present, experts from Forcepoint have detected two new versions of the MM Core malware dubbed BigBoss (2.2-LNK) and SillyGoose (2.3-LNK).
“Attacks using “BigBoss” appear likely to have occurred since mid-2015, whereas “SillyGoose” appears to have been distributed since September 2016. Both versions still appear to be active.” reads the reports published by Forcepoint.
The new variants infected users in the US and Africa, the experts observed that victims belong to multiple industries such as news and media, defense, oil and gas, and telecommunication.
Below the main functionalities implemented in the MM Core backdoor:
A novelty introduced in the last variant of the backdoor is that the downloader component leverages on the vulnerability the Microsoft Office Memory Corruption Vulnerability(CVE-2015-1641) to extract embedded malware.
In order to make harder the tracking of the C&C infrastructure, the threat actors are using WHOIS privacy protection services for their new C&C domains.
Crooks also signed the code of the downloader components with a valid authenticode certificate from Russian organisation “Bor Port,” the threat actors behind the APT malware likely has stolen it.
Forcepoint pointed out that while the number of MM Core samples is low, it has noticed that the Trojan’s downloader shares code, techniques and infrastructure with Gratem, a more active downloader that has been around since at least 2014. Recent samples have also been found to share the same certificates.
Experts believe the MM Core APT malware is just a part of a larger cyber espionage operation on which they are still investigating. They linked the malware to another trojan dubbed Gratem:
“On the other hand, while the volume of related MM Core samples remain low, we noticed that the MM Core downloader shares code, techniques and network infrastructure with a trojan called which has been distributed since at least 2014.” states the report.
“Gratem”, as well as sharing the same authenticode certificate for recent samples. Gratem is a more active downloader malware family which has been distributed since at least 2014. Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered.
Give a look at the report for further details, including the Indicators ofCompromise (IoCs)
[adrotate banner=”9″]
(Security Affairs – APT, ransomware, malware)
