China-Linked APT15 developed a new version of MirageFox malware
The newly discovered APT15 hacker group associated with China, also known as Ke3chang, Mirage, Vixen Panda, Royal APT, Playful Dragon, has recently developed a new version of malware based on previous hacking tools outside of China. The organization’s hacking tools are the primary targets of most cybersecurity company product interceptions, including Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW, MyWeb. The organization’s attack targets mainly concentrate in the defense sector, high-tech fields, energy, government agencies, aviation, and manufacturing industries.
The latest attack by the hacking organization took place in the United Kingdom last year for the NCC Group. The NCC Group provided a large number of information services to the British government. The purpose of that attack was to obtain information from the government and military departments. Later, when the NCC Group upgraded its network security, it discovered two new back door programs of the hacker group: RoyalCLI and RoyalDNS.
Another cyber security company, Intezer, also discovered last week that the hacker organization’s variant of Mirage malware based on the YARA rules was called MirageFox and that Reaver malware shared software code between the two.
MirageFox malware’s working mechanism is to first collect the infected computer information, such as username, CPU information, system architecture, etc., then transfer this information to the remote server, and then open the back door program on the host, waiting for the remote server’s instructions, such as Modify files, open/close processes, etc. It is still not known how this MirageFox spreads. According to the evidence currently available, this malicious software misuses a McAfee binary file to load malicious processes through DLL file hijacking.
This time also noticed that the IP address on the remote server is an IP address of the intranet. From this, it can determine that the attack directed against the internal network of the organization. After the hackers use the VPN to access the internal system of the organization, they obtain relevant permissions, hackers believed to be sponsored by China stole sensitive information from a US Navy contractor. It is very likely that this attack was also related to the Chinese government.
Source: securityweek
