In February of this year, SixLittleMonkeys, aka Microcin, an advanced persistent threat (APT) actor that conducts cyberespionage campaigns against government bodies and diplomatic entities, was found downloading a Trojan into a target’s system memory. Kaspersky researchers discovered that this last-stager (the final stage of an attack when the malicious payload has been downloaded and begins executing commands on the victim’s device) was utilising a new coding style – using an API-like (Application Programming Interface) architecture to simplify updates of the malware.
Kaspersky researchers discovered SixLittleMonkeys (aka Microcin) several years ago targeting government bodies with a backdoor. In addition, the group was able to mask its malicious activity by using steganography: a process by which data is sent in a concealed format so that no one is aware any has been downloaded or updated. This makes it harder for anti-virus products to detect the malicious payloads.
In February of this year, when SixLittleMonkeys was found engaged in active operations against a diplomatic entity, they were largely using the same toolset and style – steganography and library search order hijacking. However, they had made one major step forward: in the last-stager they were applying enterprise-style coding techniques.
APIs (Application Programming Interface) allow developers to build applications faster and easier, by creating building blocks for future programs so that code doesn’t have to be developed from scratch. In the case of malware, APIs add an additional layer of efficiency. Updates or changes can be made that much quicker.
SixLittleMonkeys’ last-stager’s exported API-like function utilises two callback parameters (functions to be called back at a later time): pointers to encryptor and logger functions. The former is in charge of encryption/decryption of the C2 (control server) communications and configuration data. The latter saves the malware’s history of operations into the file. With such an approach, it’s much easier for the authors to change the encryption algorithm or redirect the logger through a different communication channel.
Another new aspect of Microcin’s latest activity is the use of asynchronous work with sockets. The sockets in this case are the entities for network communications with the control server. Because they are asynchronous, one operation doesn’t block the other, meaning all commands are executed.
“This use of an enterprise-grade API-like programming style is something quite rarely found in malware – even for those involved in targeted campaigns. It demonstrates extensive experience in software development and signifies significant sophistication on the part of the actor. With such callbacks in their new network module, updating and supporting it is much easier,” comments Denis Legezo, Senior Security Researcher at Kaspersky.
To stay safe from attacks by APTs like SixLittleMonkeys, Kaspersky experts recommend:
· Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
· For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
· In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
· Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.