The backdoor — dubbed Mikroceen — has been tracked in campaigns against public and private entities since 2017. Mikroceen focuses on targets in Central Asia and has been recently tracked in attacks against government entities, telecommunications firms, and the gas industry.
The RAT and tools associated with the backdoor also appear to be connected to past attacks as documented by Kaspersky, Palo Alto Networks, and Checkpoint. In these campaigns, Russian military personnel, the Belarussian government, and the Mongolian public sector were targeted.
The attack vector of the Mikroceen RAT in recent campaigns is unknown, but once the malware lands on a compromised machine, custom tools are used to establish a connection with a command-and-control (C2) server. Mikroceen is established and linked to a bot that has an unusual feature — an attacker must authenticate the system by entering a password to control the client.
In addition, a client cannot connect directly to a C2; instead, this connection is secured via a certificate, a feature that the researchers say “distinguishes Mikroceen from the legion of backdoors we have seen since previously.”
ESET and Avast cannot verify the exact reason why the authentication measure has been implemented, beyond the idea that it may be a security control to prevent “botnet takeover, in case a competing actor or law enforcement seize their infrastructure.”
Mikroceen will fingerprint the infected system, check to see whether it is being run in a virtual environment, and is able to steal, move, and delete files; terminate and change processes and Windows services, maintain persistence, execute console commands, and send information back to the C2.
“The infected device can also be commanded by the C2 to act as a proxy or listen on a specific port on every network interface,” Avast says.
The basic grammar used for commands is the same as what has been used in previous reports on the RAT, being truncated to six letters and then base64 encoded. However, in the new campaigns, an additional layer of encryption has also been included.
Tools associated with Mikroceen have also revealed clues to its connection to a possible APT. These include Mimikatz, an open source plaintext extraction system, and Gh0st RAT, an old Trojan. However, in the latter case, including the malware appears redundant as Mikroceen provides the same functionality, if not more.
Previous reports have also noted the poor security measures implemented by the operators that fail to protect the RAT’s control panel. It seems this is still the case, as the researchers were able to get their hands on a version of the panel and also trace back the malware’s origin to the same bulletproof hosting network observed in the Vicious Panda campaign.
“The malware developers put great effort into the security and robustness of the connection with their victims and the operators managed to penetrate high-profile corporate networks,”