Connect with us

Hi, what are you looking for?



“MM Core” APT Malware Now Targets United States

New versions of an advanced persistent threat (APT) malware first discovered several years ago have been found to target organizations in the Middle East, Central Asia, Africa and the United States.

New versions of an advanced persistent threat (APT) malware first discovered several years ago have been found to target organizations in the Middle East, Central Asia, Africa and the United States.

The malware, dubbed “MM Core,” surfaced in April 2013 when FireEye researchers noticed that it had some interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access.

The first version of the threat, labeled “2.0-LNK” and named by researchers “BaneChant,” was used to target organizations in the Middle East and Central Asia.

BaneChant attracted the attention of researchers because it waited for multiple mouse clicks before stepping into action in an effort to evade sandboxes. The malware was also interesting because it used URL shortening services to protect its command and control (C&C) servers from being blacklisted, and it downloaded its malicious code into memory to prevent investigators from extracting it from the infected device’s hard drive.

By late June 2013, researchers at Context Information Security discovered a new variant of the MM Core malware. Labeled “2.1-LNK” and dubbed “StrangeLove,” the new version had roughly the same functionality, but its developers had made some changes to the downloader. This version was also used to target entities in the Middle East.

Researchers at Forcepoint have recently identified two new versions of the MM Core Trojan: BigBoss (2.2-LNK) and SillyGoose (2.3-LNK). Both of these versions are still actively used by the threat actor – BigBoss has been in use since mid-2015, while SillyGoose has been delivered to victims since September 2016.

According to Forcepoint, the new versions have been used to target Africa and the United States as well. The company says the attackers have focused on the news and media, government (defense), oil and gas, and telecommunications industries.

Advertisement. Scroll to continue reading.

The latest variants of the malware have nearly the same backdoor code as BaneChant and StrangeLove, but they have different file names and mutexes. Another difference is that the downloader component now relies on a Microsoft Word vulnerability tracked as CVE-2015-1641 to extract the malware; the first versions used CVE 2012-0158.

Forcepoint noticed that some of the downloader components were signed with a valid digital certificate issued to a Russian organization named Bor Port. Experts believe the certificate has likely been stolen by the cybercriminals as it’s unlikely that they would sign malware with their own organization’s certificate.

In an effort to prevent researchers from tracking their infrastructure, the threat group behind MM Core has started using WHOIS privacy protection services for their new C&C domains.

Forcepoint pointed out that while the number of MM Core samples is low, it has noticed that the Trojan’s downloader shares code, techniques and infrastructure with Gratem, a more active downloader that has been around since at least 2014. Recent samples have also been found to share the same certificates.

“Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered,” said Forcepoint’s Nicholas Griffin.

Related Reading: Users in Middle East Targeted in “Moonlight” Espionage Campaign

Related Reading: Windows Zero-Day Exploited by “FruityArmor” APT Group

Related Reading: Two APTs Used Same Zero-Day to Target Individuals in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...