MontysThree threat actor targets Russian industrial organizations

A previously unknown threat actor, tracked as MontysThree, composed of Russian speaking members targets Russian industrial organizations.

Kaspersky Lab researchers spotted a new threat actor, tracked as MontysThree, composed of Russian speaking members targets Russian industrial organizations.

The MontysThree group used a toolset dubbed MT3 in highly targeted attacks with cyber espionage purposes. Researchers at Kaspersky will disclose technical details of the attacks on Thursday at Kaspersky’s second SAS@Home event.

“In summer 2020 we uncovered a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. Initially the reason for our interest in this malware was its rarity, the obviously targeted nature of the campaign and the fact that there are no obvious similarities with already known campaigns at the level of code, infrastructure or TTPs.” reads a post published by Kaspersky. “To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset “MT3”; following this abbreviation we have named the toolset “MontysThree”.”

According to the experts, MontysThree has been active since at least 2018, but Kaspersky has not found any links between this group and other known advanced persistent threats (APTs).

The malware used by MontysThree actor has a modular structure, experts analyzed four modules written in C++, the loader, the kernel, HttpTransport, and LinkUpdate.

The loader allows to deliver the main payload, experts noticed that it is hidden inside a self-extracting RAR archive. In order to trick the victims into opening it, the archive references phone lists, medical test results or technical documentation in order to convince the employees of the targeted organization to download the file.

The loader hide the main payload inside a bitmap image fileuses, in order to evade detection and protect communication the main payload uses encryption to evade detection and protect C&C communications.

The malware allows operators to search for specific Microsoft Office and Adobe Acrobat documents and steal them, capture screenshots, and collect information on the compromised machine. The malware is able to store stolen data on major cloud services,inlcuding Google, Microsoft and Dropbox, this is a common technique to hide the malicious traffic.

The presence of many artifacts in the code of the malware suggests that its developers are Russian-speaking coders and that it is targeting Cyrillic Windows versions.

“MontysThree contains natural language artifacts of proper Russian language and configuration that seek directories that exist only on Cyrilic localised Windows versions.” continues the report. “While most external public cloud communications use token-based authorisation, some samples contain email-based accounts for them, which pretend to be a Chinese lookalike. We consider these names to be false flags.”

Kaspersky pointed out that the MontysThree ‘s campaign is not as sophisticated as the ones associeated with other threat actors in terms of spreading and persistence method.

Some aspects of the malware, such as logging in RAM and files at the same time, keeping the encryption keys in the same file, running an invisible browser on the remote RDP host, suggest that the the the developers are not professionals.

“Some aspects of the malware – logging in RAM and files at the same time, keeping the encryption keys in the same file, running an invisible browser on the remote RDP host – seem immature and amateurish in terms of malware development,“ Kaspersky concludes. “On the other hand, the amount of code and therefore effort invested, in MontysThree is significant. The toolset demonstrates some tech-savvy decisions: Storing 3DES key under RSA encryption, custom steganography to avoid IDS and the use of legitimate cloud storage providers to hide the C2 traffic.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MontysThree)

[adrotate banner=”5″]

[adrotate banner=”13″]