Tuesday, October 13, 2020, 15:00 PM (GMT + 7)
It has not discovered any similarities between MontysThree and any previous targeted attacks.
Security researchers have just announced the discovery of targeted attacks against industrial corporations starting in 2018. The MT3 Toolkit (set by hackers) or MontysThree (by Kaspersky) is used. used for this purpose. The toolkit uses a variety of techniques to avoid detection, including hiding media traffic in control servers and cloud services, and hiding a malicious module with disinformation techniques.
Hackers are targeting new targets with sophisticated tools. (Illustration)
Government agencies, diplomats, and telecom carriers seem to be the preferred attack targets for targeted attacks (APTs), because these individuals and organizations typically administer and process them. politically sensitive and confidential information. More targeted reconnaissance attacks will target industrial facilities; But like any other attack, they can have serious consequences for businesses, Kaspersky says.
To perform reconnaissance, MontysThree deploys a four-module malware program. Module 1 – Loader is the initial spread through the use of RAR SFX files (self-extracting archives) containing employee lists, technical documents and medical diagnostic results. to deceive employees into downloading files The Loader is mainly responsible for ensuring malicious code is not detected on the system.
Anonymity technique is used to hide the fact that data is being exploited. In the case of MontysThree, the main malware’s transmitted data is disguised as a bitmap image file (a format for storing digital images). If the correct command is entered, the Loader will use a special algorithm to decode the pixel matrix content and run malicious code.
The hacker group behind the scenes uses many anonymity techniques. (Illustration)
Hackers also use the RSA algorithm to encrypt the communication traffic with the control server and decrypt the main tasks that the malicious code assigns to it. That includes searching for documents with a certain extension that reside in company-specific directories. MontysThree is designed to attack Microsoft and Adobe Acrobat documents. It can also take screenshots and collect information about network settings, hostnames, etc. to evaluate whether the target is attractive to hackers.
Then, collected information is transferred to cloud services such as Google, Microsoft or Dropbox. That makes the traffic difficult to detect in the form of malicious code, because no antivirus software blocks these services. Thus, it ensures that the hacker control server can continuously execute the commands.
MontysThree also uses a simple method for maintaining persistent lurking on an infected system: the Windows Quick Launch toolbar. It causes users to inadvertently run the original malware module every time they run mainstream applications, like the Quick Launch toolbar.
Kaspersky has not discovered any similarities in the malware or in MontysThree’s infrastructure to any previously known intentional attacks.
The group of hackers behind the Maze ransomware is ready to reveal the data of victims who refuse to pay the ransom.