Kaspersky: ‘MontysThree’ Uses Detection Evasion Techniques
A hacking group is taking aim at industrial targets in an ongoing cyberespionage campaign, Kaspersky reports.
The group, dubbed “MontysThree,” has been in operation since at least 2018, according to Kaspersky.
“Typically, we see targeted malware that is mostly going after governmental entities, diplomats and telecom operators, which are fruitful for state-sponsored actors,” Kaspersky reports. “Industrial espionage cases like MontysThree are far more rare.”
MontysThree uses several techniques to avoid detection, including steganography and the use of public cloud infrastructures, such as Google and Microsoft, for its command and control servers, according to Kaspersky.
The hacking group is primarily interested in stealing documents, such as Microsoft Word and Adobe Acrobat files, Kaspersky reports.
“They gather the recent documents as well as documents from removable drives, so we consider this case to be industrial cyberespionage,” Denis Legezo, a senior security researcher at Kaspersky, tells Information Security Media Group.
The Kaspersky researchers uncovered a toolset that the hacking group uses, called MT3, which has modules written in the C++ programming language.
The loader in the MT3 toolset is spread inside RAR self-extracting archives – proprietary archive file formats found in Windows. The loader is delivered to potential victims through spear-phishing emails that contain attached files disguised as employee contact lists, technical papers or even medical documents, according to the Kaspersky report.
If a victim opens one of these documents, the loader uses steganography techniques to hide the malicious code in pictures or images.
“The main malicious payload is disguised as a bitmap file. If the right command is inputted, the loader will use a custom-made algorithm to decrypt the content from the pixel array and run the malicious payload,” according to the report.
The main payload uses several encryption techniques to evade detection. They include the use of an RSA algorithm to encrypt communications with the command and control server hosted in the cloud.
Once installed on a device, the MT3 malware looks for specific Microsoft and Adobe documents. It also captures screenshots as well as information about network settings, host names and other data, according to the report.
“MontysThree also uses a simple method for gaining persistence on the infected system: a modifier for Windows Quick Launch,” Kaspersky says. “Users inadvertently run the initial module of the malware by themselves every time they run legitimate applications, such as browsers, when using the Quick Launch toolbar.”
Once the malware gathers documents, it exfiltrates the information to the command and control server hosted in the cloud, according to the report.
The Kaspersky report notes that the toolset used by the MontysThree hacking group does not overlap with any other known malware used by other APT groups.
But the researchers noticed that some of the code appears to have been developed by a Russian-speaking operator, and the toolset itself is designed to target Cyrillic-language versions of Windows. This likely means that the MontysThree group is focused on Russian targets.
“We didn’t register any cases in the U.S. Moreover, natural language-related attributes (like directories) show that the operators looked for Cyrillic localized Windows OS on the targets’ side,” Legezo says.