Rewterz Threat Alert – MontysThree; Industrial Espionage with Steganography

Severity

Medium

Analysis Summary

A previously unknown multi-module C++ toolset is found being used in highly targeted industrial espionage attacks. The malware authors named the toolset “MT3”; “MontysThree”. The malware includes a set of C++ modules used for persistence, obtaining data from a bitmap with steganography, decryption of configuration tasks (making screenshots, fingerprinting the target, getting the file, etc.) and their execution, and network communications with major legitimate public cloud services such as Google, Microsoft and Dropbox. MontysThree is configured to search for specific Microsoft Office and Adobe Acrobat documents stored in current documents directories and on removable media. The malware uses custom steganography and several encryption schemes: besides custom XOR-based encryption, the modules rely on 3DES and RSA algorithms for configuration decryption and communications. MontysThree contains natural language artifacts of proper Russian language and configuration that seek directories that exist only on Cyrilic localised Windows versions. While most external public cloud communications use token-based authorisation, some samples contain email-based accounts for them, which pretend to be a Chinese lookalike. Many more artifacts suggest that the malware was developed by a Russian-speaking actor and is targeting Cyrillic Windows versions. The initial loader module is spread inside RAR self-extracting archives (SFX) with names related to employees’ phones list, technical documentation and medical test results. There are no lures, only PE files (masquerading a .pdf or .doc file), but such titles are now a typical trick used in spear-phishing – “corporate info update” or “medical analysis results”, “Tech task.pdf” and “invitro-106650152-1.pdf”. The latter is the name of a medical laboratory in Russia. All of them seem like typical spear-phishing tricks. On execution, the SFX script calls the Open() function of the decompressed loader executable in the %TEMP% directory and deletes it. Judging by the filename, it most likely imitates medical analysis results, given that “Invitro” is a prominent medical laboratory in Russia. This initial PE32 is the first loader module. 

The overall campaign sophistication doesn’t compare to top notch APT actors in terms of spreading, persistence method. And some aspects of the malware – logging in RAM and files at the same time, keeping the encryption keys in the same file, running an invisible browser on the remote RDP host – seem immature and amateurish in terms of malware development. On the other hand, the amount of code and therefore effort invested, in MontysThree is significant. The toolset demonstrates some tech-savvy decisions: Storing 3DES key under RSA encryption, custom steganography to avoid IDS and the use of legitimate cloud storage providers to hide the C2 traffic.

Impact

• Detection Evasion
• Information Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• dl166-web-eticket[.]ru
• dl55-web-yachtbooking[.]xyz
• dl10-web-stock[.]ru
• dl16-web-eticket[.]ru
• autosport-club[.]tekcities[.]com

MD5

• 3afa43e1bc578460be002eb58fa7c2de
• da49fea229dd2dedab2b909f24fb24ab

SHA-256

• 81ff04b2ce933c7064c3aee78aa97d521752d966738c4e02dfba5755da7d3af9
• f16c2d97f9ec47121093db7caa02633e808a47a92b651e5a8dd82e3f74161de2

SHA1

• 5300d900a0eddeeba62593abf1cccc086aa0e128
• a5e9d0aaf2c846a099ef8a17aa488e759dd58e9b

Remediation

• Block the threat indicators at their respective controls.
• Do not download untrusted files from any source.
• Keep all systems and software updated to latest patched versions.
• Implement a strong password policy.
• Enable multi-factor authentication where possible.