Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks

Pierluigi Paganini September 10, 2018

Security experts observed the LuckyMouse APT group using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.

Security experts from Kaspersky have observed the LuckyMouse APT group (aka Emissary Panda, APT27 and Threat Group 3390) using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.

The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide.

In March 2018, security experts at Kaspersky Lab have observed an attack powered by the Chinese APT group, the experts speculate the campaign was started in the fall of 2017. The attack hit a national data center in an unnamed country in Central Asia, according to Kaspersky, the hackers were preparing a watering hole attack. The hackers attempted to inject malicious JavaScript code into the government websites connected to the data center.

Over the past months, the group used the network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.

Kaspersky reported that the driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, experts immediately notified it to the firm.

“Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy.” reads the analysis published by Kaspersky.

“Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.”

The cyberespionage campaign analyzed by Kaspersky targeted Middle Asian government entities immediately prior to the Central Asian high-level meeting. Attackers show a specific interest in the regional political agenda.

The malware is composed of the following three modules:

  • A custom C++ installer that decrypts and drops the driver file in the corresponding system directory then creates a Windows autorun service to obtain driver persistence and adds the encrypted in-memory Trojan to the system registry.
  • A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
  • The final payload is written in C++, it is a Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.

These modules allow lateral movements of the threat but don’t allow them to communicate with an external Command and Control infrastructure if the new infected host only has a LAN IP. The operators leveraged an Earthworm SOCKS tunneler to connect the LAN of the infected host to the external C2. The modules also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) used to spread malware with administrative passwords, compromised with keyloggers.


LuckyMouse filtering driver

The malware is distributed through already compromised networks instead of leveraging spear-phishing messages.

The dropper can install both 32-bit and 64-bit drivers, depending on the target, and keeps track of all the installation process.

The network filtering driver NDISProxy inject a RAT that can execute common tasks into the compromised system, including running commands and downloading/uploading files.

The Trojan is used by attackers to harvest data from compromised hosts, to make lateral movements and for establishing the connection to C&C through SOCKS tunnels.

“This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.” concludes Kaspersky.

Further details including IoCs are reported in the analysis published by the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – LuckyMouse, China)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment