ESET teamed up with Avast to research a constantly evolving remote access tool (RAT) with the usual backdoor functionality that ESET has dubbed Mikroceen, only to discover that it is being used in espionage attacks against government and business entities (from the telcos and gas industries) in Central Asia.
The attackers were able to gain long-term access to affected networks, manipulate files and take screenshots. Victims’ devices could execute various commands delivered remotely from command and control servers.
The researchers investigated the custom implementation of Mikroceen’s client-server model, purpose-built for cyberespionage. “The malware developers put great effort in securing the client-server connection with their victims. Their malware was leveraged ‘in the wild,’ as the operators managed to penetrate high-profile corporate networks. We also saw a larger attack toolset being used and constantly developed, which consisted mainly of variations in obfuscation techniques,” comments Peter Kálnai, who led the ESET arm of the joint research team.
Mikroceen is under constant development, and security researchers have seen it used with backdoor capabilities in various targeted operations since late 2017. Among tools used by the attackers to move within the infiltrated networks, ESET and Avast researchers also identified Gh0st RAT, an older, yet infamous, RAT created around 2008. There are many similarities between Gh0st RAT and Mikroceen, with the main shift between the projects in securing the connection with a certificate.