Attackers use RAT Mikroceen to attack Asian Government private data


The Remote access Trojan Mikroceen attacks with c2 server on the target systems to steal, move, and delete files

Researchers from ESET and Avast are researching on a Remote access Trojan(RAT) named Mikroceen, the RAT is being used for gaining remote access of the Asian government bodies and some private organizations. Mikroceen has also been tracked in the recent attacks against, telecommunications firms, and the gas industry.

Researchers also suggest that the RAT is likely to be exploited by the Advanced Persistent Threat (APT) group from China. The RAT has been tracked in campaigns against public and private entities since 2017.

What is Mikroceen RAT?

Mikroceen is basically used to implement a client-server model, purpose-built for cyberespionage. Once the Malware is inserted into the target system, custom tools are used to establish a connection with a command-and-control (C2) server. Mikroceen checks it is being run in a virtual environment, and is able to steal, move, and delete files; terminate and change processes and Windows services, maintain persistence, execute console commands, and send information back to the C2.

Mikroceen uses the same basic features as already described Palo Alto Networks about BYEBY. The grammar of commands is quite specific because each command is truncated to 6 letters and then base64 encoded. That results in an 8-letter incomprehensible word in the code. While in previous cases the encoding was straightforward, in the campaign in Central Asia there’s an additional unknown encryption layer added. The connection of the 8-letter words with the commands, in that case, was done by agreement on the code level.

said ESET in a study

Researchers also said, “A feature distinguishes Mikroceen from the legion of backdoors we have seen since previously.” that is a client cannot connect directly to a C2; instead, this connection is secured via a certificate, which is set by a password.

“The infected device can also be commanded by the C2 to act as a proxy or listen on a specific port on every network interface,” Avast says.

“The malware developers put great effort into the security and robustness of the connection with their victims and the operators managed to penetrate high-profile corporate networks. Moreover, they have a larger toolset of attack tools at their disposal and their projects are under constant development, mostly visible as variations in obfuscation.” ESET says.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments