New versions of an advanced persistent threat (APT) malware first discovered several years ago have been found to target organizations in the Middle East, Central Asia, Africa and the United States.
The malware, dubbed “MM Core,” surfaced in April 2013 when FireEye researchers noticed that it had some interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access.
The first version of the threat, labeled “2.0-LNK” and named by researchers “BaneChant,” was used to target organizations in the Middle East and Central Asia.
BaneChant attracted the attention of researchers because it waited for multiple mouse clicks before stepping into action in an effort to evade sandboxes. The malware was also interesting because it used URL shortening services to protect its command and control (C&C) servers from being blacklisted, and it downloaded its malicious code into memory to prevent investigators from extracting it from the infected device’s hard drive.
By late June 2013, researchers at Context Information Security discovered a new variant of the MM Core malware. Labeled “2.1-LNK” and dubbed “StrangeLove,” the new version had roughly the same functionality, but its developers had made some changes to the downloader. This version was also used to target entities in the Middle East.
Researchers at Forcepoint have recently identified two new versions of the MM Core Trojan: BigBoss (2.2-LNK) and SillyGoose (2.3-LNK). Both of these versions are still actively used by the threat actor – BigBoss has been in use since mid-2015, while SillyGoose has been delivered to victims since September 2016.
According to Forcepoint, the new versions have been used to target Africa and the United States as well. The company says the attackers have focused on the news and media, government (defense), oil and gas, and telecommunications industries.
The latest variants of the malware have nearly the same backdoor code as BaneChant and StrangeLove, but they have different file names and mutexes. Another difference is that the downloader component now relies on a Microsoft Word vulnerability tracked as CVE-2015-1641 to extract the malware; the first versions used CVE 2012-0158.
Forcepoint noticed that some of the downloader components were signed with a valid digital certificate issued to a Russian organization named Bor Port. Experts believe the certificate has likely been stolen by the cybercriminals as it’s unlikely that they would sign malware with their own organization’s certificate.
In an effort to prevent researchers from tracking their infrastructure, the threat group behind MM Core has started using WHOIS privacy protection services for their new C&C domains.
Forcepoint pointed out that while the number of MM Core samples is low, it has noticed that the Trojan’s downloader shares code, techniques and infrastructure with Gratem, a more active downloader that has been around since at least 2014. Recent samples have also been found to share the same certificates.
“Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered,” said Forcepoint’s Nicholas Griffin.
Related Reading: Users in Middle East Targeted in “Moonlight” Espionage Campaign
Related Reading: Windows Zero-Day Exploited by “FruityArmor” APT Group
Related Reading: Two APTs Used Same Zero-Day to Target Individuals in Europe