Kaspersky discoveres new and unknown Trojan, most likely linked to LuckyMouse Chinese group

Aurel Dragan 11/09/2018 | 14:44

Kaspersky Lab has discovered some cases of infection with an unknown Trojan, which is most likely linked to the LuckyMouse Chinese language group. This malware is noted by the fact that its driver is signed with a legitimate digital certificate issued by a company that develops information security software.

The LuckyMouse Group is known for its carefully targeted cyber attacks on large entities around the world. Group activity poses a threat to all regions, including Southeast and Central Asia, because their attacks seem to have a political motivation. Judging by the victim’s profile and the previous attack vectors of the group, Kaspersky Lab researchers believe it is possible that the trojan they detected was used for cyber-spying at state level.

Trojan discovered by experts Kaspersky Lab infected one of the target computers with an attacker-built driver. This allowed them to perform all common tasks, such as executing commands, downloading and uploading files, and intercepting network traffic.

The driver has proven to be the most exciting part of this campaign. To be credible, the group apparently stole a digital certificate belonging to an information security software developer and used it to sign samples of malware. This was done in an attempt to avoid detection by security solutions, since a legitimate signature makes malware seem legal software.

Another thing worth mentioning about the driver is that, despite LuckyMouse’s ability to create its own malware, the attack software seems to be a combination of code samples available in public resources and custom malware. Using ready-made third-party code, instead of writing original code, helps developers save time and make assignment more difficult.

“When a new LuckyMouse campaign occurs, it is almost always an important political event and the moment of the attack usually precedes world leaders’ summits,” said Denis Legezo, security researcher at Kaspersky Lab. “The group does not do too much assignment issues, because now its members use external code samples in their program and have time to develop a new version of malware without being traced to it.”

Kaspersky Lab has also made public a report on the LuckyMouse group, which attacked a national data center to organize a waterhole campaign.

How to protect yourself:

  • Do not automatically trust the code running on your own systems. Digital certificates do not guarantee the absence of any backdoor.
  • Use an effective security solution, equipped with behavioral detection technologies that allow detection of unknown threats up to that point.
  • Sign up your security team to a good threat information service so you can learn in advance about the latest tactics, techniques and procedures of complex attacker groups.
BR Magazine | Latest Issue

Download PDF: Business Review Magazine April 2024 Issue

The April 2024 issue of Business Review Magazine is now available in digital format, featuring the main cover story titled “Caring for People and for the Planet”. To download the magazine in
Aurel Dragan | 12/04/2024 | 17:28
Advertisement Advertisement
Close ×

We use cookies for keeping our website reliable and secure, personalising content and ads, providing social media features and to analyse how our website is used.

Accept & continue