Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



MasterMana Campaign Combines Stealth, Free Services and Old Malware

An ongoing cybercrime campaign that started as early as December 2018, has avoided widespread detection through a combination of stealth tactics and hiding in plain sight.

An ongoing cybercrime campaign that started as early as December 2018, has avoided widespread detection through a combination of stealth tactics and hiding in plain sight. Called MasterMana, the threat is sufficiently sophisticated to avoid automatic detections during infection, but not so sophisticated that it attracts the eye of the APT threat hunters.

Researchers at cyber intelligence firm Prevailion, who detected and named the campaign, avoid direct attribution to specific attacker groups. Nevertheless, they point to some similarities between MasterMana and the tactics, techniques, and procedures (TTPs) of the Gorgon Group, which is thought to originate in Pakistan. In 2018, Palo Alto’s Unit 42 research arm described the Gorgon Group as ‘slithering between nation state and cybercrime’. This is a reasonable description of the MasterMana campaign — the attackers likely have advanced capabilities, but have consciously chosen not to use them here.

In September, Prevailion disclosed a North Korean-linked summer campaign that it called Autumn Aperture targeting U.S. Entities.

MasterMana attacks start with phishing and an attached weaponized Office document. The samples found and reported by Prevailion use Excel, but references within the code suggest that the group might have also trojanized Word, PowerPoint and Publisher file formats. The phishing has to trick the victim into enabling macros. Once this is done, the VBS script reaches out to a Bitly link, which leads to an actor-controlled Blogspot (myownteammana[.]blogspot[.]com). The Microsoft macro highlights the actors’ stealth approach, while the Blogspot URL shows the ‘hiding in plain sight’ element of the attack.

The same Blogspot hostname was used by multiple campaigns within MasterMana, with each campaign correlating with different URLs. In just one mini-campaign from late July through September, the Bitly link statistics show the link was clicked by victims around the world approximately 1,500 times (for example, 161 times from China, 50 times from Australia, and 27 times from the UK). While the visited page looks benign, it contains further malicious JavaScript.

This JavaScript connects to a Pastebin URL and runs mishta.exe (obfuscated VBScript using string reversals and unnecessary concatenations to avoid detection). This script kills any running instances of Word, Excel, PowerPoint and Publisher. “Next,” say the researchers, “it would attempt to create scheduled tasks and modify a registry key to obtain the next payload.” A time delay on the scheduled task would seek to avoid sandbox detection. From the end of September, this process was modified to use three scheduled tasks set for six minutes, then five hours and then ten hours, attempting to ensure the registry instance would persist after a reboot.

Once created, the scheduled tasks and registry keys were populated with the contents of another Pastebin URL comprising another obfuscated PowerShell script. The purpose this time was to download a fully functional RAT. At first, this was Revenge Rat. From 15 September, this changed to Azorult. Although old, Azorult can be purchased from Russian forums at prices ranging up $100 and is cheap and effective. It is primarily geared toward stealing credentials from email accounts, messenger apps, and cryptocurrency wallets, and web cookies and browser history.

Advertisement. Scroll to continue reading.

It can also upload and download files from a hard-coded IP address (examples include hxxp://216.170.126[.]146/2ky/index.php and hxxp:// and take screenshots. It would be possible for the attacker to deploy additional malware such as cryptominers or ransomware.

Overall, the campaign is interesting in its combination of newer approaches such as stealth (macros and PowerShell), its use of third party websites such as Bitly, Blogspot and Pastebin (to appear less suspicious and make it easy to update/change the scripts), and old RAT malware. 

The third-party websites provide their own statistics, making it relatively easy for researchers to track the success of the campaigns. “For example,” say the researchers, “we observed that the URL that hosted the Revenge Rat sample had been viewed over 3300 times. This suggests that there are 3300 machines that were affected by this campaign.” But while the stealth and use of third-party websites seems to be successful, the use of old malware would likely ultimately fail against ‘victims’ with a mainstream and up-to-date anti-malware defense. 

The Prevailion researchers have two primary conclusions on the methodology used in MasterMana. Firstly, the cost to the threat actors is virtually non-existent, using the free services of third-party providers and an old and inexpensive malware. But secondly, this was all done as a conscious choice: “The campaign showed a very specific level of sophistication, tailored intentionally to evade detection.”

The researchers believe that this mix of evasion and low-tech methods account for the longevity of the campaign. Researchers in general tend to be looking for the latest bad malware — such as Emotet — rather than old malware such as Azorult. And although many infections will fail at the last hurdle of anti-malware detection, the low cost and large scale of the campaign nevertheless provides an effective ROI for the criminals.

“This campaign’s threat actors saw an opportunity and appear to have carved out a nice niche for themselves,” say the researchers.

Related: AZORult Variant Can Establish RDP Connections 

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign 

Related: Macro Malware Has Returned: Intel Security 

Related: Microsoft Blocks Risky Macros in Office 2016

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...