Security experts report that the LuckyMouse Hacking group has devised a new malicious threat which uses a highly advanced infiltration behavior pattern. This new LuckyMouse Trojan has the capability to infect high-profile networks and is considered a critical infection.
Luckymouse Trojan Attacks in the Past
The LuckyMouse hacking group and its main weapon called the LuckyMouse Trojan are a notorious criminal collective that is well-known for causing high-impact attack campaigns. One of the most recognizable attacks involving a previous iteration of LuckyMouse is the June 2018 attack. The group launched an attack against a national data center located in Central Asia. The security researchers discovered that the criminals were able to access the restricted network and its government resources.
A complex behavior pattern was observed which was able to bypass all security systems that were placed and configured to repel attacks. According to the reports released at the time following the infection the security experts showcase that it is not known which is the main infiltration mechanism. It is suspected that the attacks were through an infected document. The analysts were able to acquire documents that included scripts taking advantage of the CVE-2017-118822 vulnerability in Microsoft Office. It is believed that interaction with it has led to the deployment of the initial payload dropper. The advisory’s description reads the following:
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability”. This CVE ID is unique from CVE-2017-11884.
From there on several advanced stealth protection modules in order to hide the infection from any security services:
- A legitimate remote desktop service module which is used to load a malicious DLL.
- A DLL file which launches the LuckyMouse Trojan decompressor.
- The decompressor instance.
As a result the Trojan instance will be deployed to the infected hosts and hook up to system processes and individual applications. This allows the criminals to spy on the victims and also redirect the users to fake login pages, record keystrokes and mouse movement and etc. In this attack the analysts observed that the criminals were able to inject an URL which resulted in the delivery of malicious code.
The end result is that Chinese hackers were able to infiltrate a national data center, by all standards this is perceived as a critical risk.
Luckymouse Trojan Infection Techniques
We have received reports of a new LuckyMouse Trojan instance which appears to be a heavily modified version of former variants.
It is believed that the group originates from China, new evidence of this is the fact that the strains make use of security signatures of a Chinese company. It is a developer of information security software based in Shenzhen. The route of infection is a malicious NDISProxy. While there may be a legitimate software the hackers have created their own version by using the digital signatures hijacked from the company — both in their 32 and 64-bit versions. Upon discovery of the incident the analysts reported this to the company and CN-CERT.
It appears that the initial distribution of the LuckyMouse Trojan and its 32-bit version has started in the end of March 2018. It is believed that the hackers used already infected networks to propagate the threats.
There are several methods that the criminals can use to spread the virus files:
- Phishing Emails — The hackers can construct messages that pose as legitimate notifications from Internet services or sites that the receiving users might be using. The virus files may be directly attached or linked in the body contents.
- Payload Carriers — The malicious engine can be embedded in various forms such as documents (in a similar way to the previous attacks) or application installers. The LuckyMouse hackers can hijack the legitimate software installers of well-known applications that end users typically use: system utilities, creativity suites and productivity solutions. They can then be distributed onto the various sites, emails and other means.
- File-Sharing Networks — BitTorrent and other similar networks which are often used to spread pirate content can also be used by the hackers. They can deliver either the stand-alone virus files or the payload carriers.
- Scripts — The previous attacks used a complex infection pattern that ultimately depended on a final deployment script. The driver installation may be called by scripts that can be either integrated into various applications or services or linked through web pages. In some cases malicious behavior can be observed via ordinary elements such as redirects, banners, ads, pop-ups and etc.
- Web Browser Plugins — Malicious web browser plugins can be programmed by the hackers in order to spread the infection. They are usually made compatible with the most popular web browsers and are uploaded to the relevant repositories. They make use of fake user reviews and developer credentials along with an elaborate description in order to coerce the users into downloading them. Upon installation the victims will find out that their settings might be changed in order to redirect to a hacker-controlled site. The LuckyMouse Trojan will be installed automatically.
The Luckymouse Trojan Has an Advanced System Manipulation Engine
Upon installation of the infected NDIS driver the setup file will check the system and load the appropriate version — 32-bit or 64-bit. Just like regular installations the setup engine will log the steps in a logfile. When the signed driver is deployed to the system this will also register the virus code into the Windows Registry in encrypted form. The next step is the set up of corresponding autotart services — the LuckyMouse Trojan will be started automatically once the computer is turned. WARNING! in some cases it may disable access to the recovery menu.
The main goal is to infect the lsass.exe system process memory. This is the main process of the operating system that is responsible for enforcing the predefined security policy. It is responsible for several processes including the following: user verification, password changes, access tokens creation, modifications of the Windows security log and etc.
The malicious network driver will then set the communications channel to RDP port 3389 which allows the hackers to set up a secure connection to the compromised hosts. Malicious actions include the following:
- Download and Execution of Other Malware — The infected computers can be ordered into downloading and running any file chosen by the criminal controllers.
- Command Execution — The LuckyMouse Trojan can execute commands with both user and administrative privileges.
- Surveillance — The criminals can monitor the victims and spy on their activities at all times.
- Initiate Network Attacks — The LuckyMouse Trojan code can be used to spread the strains further. This can be done either automatically or by manually triggering penetration testing commands.
LuckyMouse Trojan Goals and Incidents
The security analysts have detected that the attacks carrying the LuckyMouse Trojan seem to primarily target Asian government institutions. The fact that the virus samples have been customized to follow this exact behavior pattern suggests that significant planning has been undertaken prior to the launch. There is no clear information about the intentions of the hackers however it is speculated that they may be politically motivated.
It is clear that that the criminal collective is highly experienced and that future campaigns and updated virus code is likely to happen. One of the worrisome facts is that all LuckyMouse attacks so far have been identified post-infection. This means that there has been a delay between the attacks and their identifications. As each version is updated with an even more advanced codebase the system administrators will need to be even more careful when overseeing their systems.