The APT15 hacking group which became well-known for its high profile attacks against US Military has developed a new dangerous malware tool called MirageFox. It is believed that it is an updated version of previously-released threats. A detailed technical analysis shows that it is capable of inflicting a lot of damage to the target computers.
The MirageFox Malware Is The Latest Weapon Used By the APT15 Hackers
The APT15 hacking group is one of the most well-known criminal organizations that is believed to be affiliated with the Chinese government. Over the years they have been spotted at attacking mainly high-profile government and military targets using sophisticated methods of infection. Other targets include multi-national companies in industries like oil and the like. A signature mechanism that they employ is that they target the installed applications on the workstation computers. Once the network has been breached they will use custom solutions in order to continue the attacks.
The MirageFox malware was discovered by a hybrid signature that appears to hold signatures of previous weapons used by he group. The security analysts note that the new tool is programmed in a way that avoids instant discovery. The detection ratings show that a majority of the security software cannot identify it as a virus signature.
A full analysis is not yet available as the analysts were not able to capture a complete sample of MirageFox’s code. The available snippets showcase how the threat will react once the initial infections are done. However details on how the exact mechanism works are not yet available.
MirageFox Malware Capabilities
The partial information that is available for MirageFox shows that it includes several properties allowing it to infect the targets on a deep level. The following infection tactics are confirmed in the captured strains:
- Process Hookup — The MirageFox can hook itself to either system or user-installed processes and services. This makes it very useful when harvesting sensitive data about the victims and their input data.
- Server Connection — The MirageFox malware can create a secure connection to a hacker-controlled server. This can be used to report the made infections, as well as spy on the victims in real-time. Using this module the hackers can obtain access to the victim machines. This mechanism is also useful for deploying additional threats to the hosts.
- Security Bypass — The MirageFox malware can be programmed to overcome security software that may interfere with it’s correct execution.
A further inspection over the captured samples shows that the reported hacker-controlled servers are found on internal network servers. This leads the experts to believe that either the virus has been specifically made against the targets or that the connection is being tunnelled through a VPN (virtual private network).
We anticipate that further reports about APT15’s operations will be available as the group is known to target companies and agencies using different tactics.