Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

“MM Core” APT Malware Now Targets United States

New versions of an advanced persistent threat (APT) malware first discovered several years ago have been found to target organizations in the Middle East, Central Asia, Africa and the United States.

New versions of an advanced persistent threat (APT) malware first discovered several years ago have been found to target organizations in the Middle East, Central Asia, Africa and the United States.

The malware, dubbed “MM Core,” surfaced in April 2013 when FireEye researchers noticed that it had some interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access.

The first version of the threat, labeled “2.0-LNK” and named by researchers “BaneChant,” was used to target organizations in the Middle East and Central Asia.

BaneChant attracted the attention of researchers because it waited for multiple mouse clicks before stepping into action in an effort to evade sandboxes. The malware was also interesting because it used URL shortening services to protect its command and control (C&C) servers from being blacklisted, and it downloaded its malicious code into memory to prevent investigators from extracting it from the infected device’s hard drive.

By late June 2013, researchers at Context Information Security discovered a new variant of the MM Core malware. Labeled “2.1-LNK” and dubbed “StrangeLove,” the new version had roughly the same functionality, but its developers had made some changes to the downloader. This version was also used to target entities in the Middle East.

Researchers at Forcepoint have recently identified two new versions of the MM Core Trojan: BigBoss (2.2-LNK) and SillyGoose (2.3-LNK). Both of these versions are still actively used by the threat actor – BigBoss has been in use since mid-2015, while SillyGoose has been delivered to victims since September 2016.

According to Forcepoint, the new versions have been used to target Africa and the United States as well. The company says the attackers have focused on the news and media, government (defense), oil and gas, and telecommunications industries.

The latest variants of the malware have nearly the same backdoor code as BaneChant and StrangeLove, but they have different file names and mutexes. Another difference is that the downloader component now relies on a Microsoft Word vulnerability tracked as CVE-2015-1641 to extract the malware; the first versions used CVE 2012-0158.

Advertisement. Scroll to continue reading.

Forcepoint noticed that some of the downloader components were signed with a valid digital certificate issued to a Russian organization named Bor Port. Experts believe the certificate has likely been stolen by the cybercriminals as it’s unlikely that they would sign malware with their own organization’s certificate.

In an effort to prevent researchers from tracking their infrastructure, the threat group behind MM Core has started using WHOIS privacy protection services for their new C&C domains.

Forcepoint pointed out that while the number of MM Core samples is low, it has noticed that the Trojan’s downloader shares code, techniques and infrastructure with Gratem, a more active downloader that has been around since at least 2014. Recent samples have also been found to share the same certificates.

“Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered,” said Forcepoint’s Nicholas Griffin.

Related Reading: Users in Middle East Targeted in “Moonlight” Espionage Campaign

Related Reading: Windows Zero-Day Exploited by “FruityArmor” APT Group

Related Reading: Two APTs Used Same Zero-Day to Target Individuals in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.