There is a new piece of malware based on one of the first tools used by a Chinese cyber-espionage group that targets manufacturers among other sectors, researchers said.
The attacker is known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon, and its tools are tracked by various cybersecurity companies as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb.
In addition to manufacturers, the group targets organizations in the defense, high tech, energy, government, aerospace, and other sectors.
“Following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government,” said Jay Rosenberg senior security researcher at Intezer in a post. “The malware involved in this recent campaign, MirageFox, looks to be an upgraded version of a tool, a RAT believed to originate in 2012, known as Mirage.”
Intezer, a cybersecurity firm that specializes in recognizing code reuse, said it identified this new malware linked to APT15 based on YARA rules created for Mirage, the oldest tool used by the threat actor, and Reaver, another piece of malware previously
MirageFox based on a string found in one of the components, shares code with both Mirage and Reaver. Resarchers found similarities to the original Mirage malware, including in the code used for a remote shell and the function for decrypting command and control (C&C) configuration data.
“MirageFox functions similarly to previous malware created by APT15, first collecting information about the computer like the username, CPU information, architecture, and so forth. Then it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs,” Rosenberg said.
The sample analyzed was compiled on June 8 and uploaded to VirusTotal one day later.
The malware appears to abuse a legitimate McAfee binary to load malicious processes through DLL hijacking. APT15 has been known to use DLL hijacking in its campaigns.
Intezer also found a C&C server has an internal IP address.