MOKER
In October 2015, Israeli cyber-security firm Ensilo discovered a remote access Trojan (RAT), dubbed Moker Trojan, inside the sensitive network of a customer. A remote access Trojan (RAT) is not an APT. Malware is the tool that supports the APT campaign. However, Ensilo contends that the remote access Trojan is complex enough to suggest that it may be developed and deployed by an emerging APT group. The quality of the code is high. The code checks its return values, validates its pointers, handles its exceptions, and prevents buffer overflows. The malware also contains obfuscation measures to inhibit deconstruction and analysis attempts. Since the digital signatures of the malware did not register on Virus Total (a research tool for recognizing malware signatures), and because the malware itself contains features dissimilar to other campaigns, there is the possibility that the security firm either uncovered an undiscovered malware campaign or that they caught a threat as it emerged.
Neither the identity of the developer of the malware nor the infection vectors are known. The malware targets the operating system of Microsoft Windows hosts. The single sample of the malware discovered communicated with a domain that corresponded to a HTTP server in Montenegro. Based on its efforts to communicate with the C2 infrastructure, Ensilo postulates that the server is owned by the attacker who hosts C2 infrastructure via a Virtual Private Server (VPS) or a static IP rather than a hacked domain or a shared hosting server.
In attacks against pharmaceutical companies, the attackers breached small regional offices and then slowly moved across the network to the main network. In late 2014, two natural resource organizations that specialize in gold and oil were compromised. In June 2015, a Central Asian global law firm was compromised and financial information and information about regional natural resources may have been targeted. This has led to speculation that the attackers may be focusing on information that is valuable in the commodities market. The behavior may also indicate direction from a third party client who is invested in the commodities market.
Moker Trojan is a remote access Trojan (RAT) capable of seizing complete control of the victim system. It generates a new administrative user account and it opens a RDP channel to allow the adversary to remotely access the infected system. If the remote desktop service is disabled, the malware will attempt to enable it as a background service. Moker trojan establishes a persistent residence in the operating system files so that it appears a legitimate OS level process with system wide privileges and access to system settings. In operation, the malware injects its malicious code into the legitimate code of different system processes. In particular, it targets Explorer.exe, Svchost.exe, and csrss.exe. In order to execute code without the user’s consent and at higher privileges, Moker either infects a program that already runs at elevated privileges or it exploits a flaw in the design of Windows to elevate the privilege of the DLL. In the latter case, Windows always loads certain DLLs from the system directory at escalated privileges; as a result, Moker writes a file named “ActionQueue.dll” into the “sysprep” directory so that the malware always runs with elevated privileges. Afterward, the malware modifies system sensitive files and system security settings so that it remains undetected for as long as possible while maintaining access to the greatest amount of access to the system files. The malware itself is capable of recording HTTP(s) traffic, taking screenshots, logging keystrokes, and exfiltrating files. The malware also enables the attacker to use the infected machine as a proxy server, similar to a Socks server, so that the adversary can navigate the local network.
The malware contains a hidden control panel module which allows the adversary to direct it and access the malware without an active internet connection. Consequently, the malicious actor can exploit a VPN connection and legitimate, stolen user credentials to operate the malware on infected air-gapped systems. The local access panel may have been an intentional feature added by the developer so that malicious activity might be confused for the activity of a legitimate employee who VPN’ed into the system. Alternately, it could be a developer tool that was mistakenly left in the malware.
The malware features significant anti-analysis and anti-debugging techniques to inhibit deconstruction and investigation of the form and functionality of the malware. Moker trojan bypasses or disables antivirus, renders Microsoft Windows user access controls ineffective, and confounds sandboxing and virtual machine analysis with encryption and multistage installation. The malware evades signature based anti-virus and network monitoring solutions by compressing its code. In an attempt to prevent sandbox and virtual analysis, Moker trojan installs in two stages. The first stage dropper contains no malicious code and only delivers the malware infrastructure. Upon successful installation and validation that the infected environment is a legitimate target, the first dropper calls a C2 server or a local directory for the second stage delivery. The second stage of the malware is the malicious payload containing encrypted malware files and system monitoring tools. If the environment is confirmed a legitimate target, then the first stage malware decrypts the payload and injects the malware into the victim system processes. The malware also contains complex code and instructions that do nothing except deter deconstruction and analysis attempts.