Deconstructing Mikroceen: Researchers uncover spying backdoor attacking high-profile targets in Central Asia
ESET recently teamed up with Avast to research a widespread and constantly evolving remote access tool (RAT) with the usual backdoor functionality that ESET has dubbed Mikroceen. In the joint analysis, the researchers uncovered Mikroceen being used in espionage attacks against government and business entities (from the telecommunications and gas industries) in Central Asia.
The attackers were able to gain long-term access to affected networks, manipulate files and take screenshots. Victims’ devices could execute various commands delivered remotely from command and control servers.
The researchers investigated the custom implementation of Mikroceen’s client-server model, purpose-built for cyberespionage. “The malware developers put great effort in securing the client-server connection with their victims. Their malware was leveraged ‘in the wild,’ as the operators managed to penetrate high-profile corporate networks. We also saw a larger attack toolset being used and constantly developed, which consisted mainly of variations in obfuscation techniques,” comments Peter Kálnai, who led the ESET arm of the joint research team.
Mikroceen is under constant development, and security researchers have seen it used with backdoor capabilities in various targeted operations since late 2017. Among tools used by the attackers to move within the infiltrated networks, ESET and Avast researchers also identified Gh0st RAT, an older, yet infamous, RAT created around 2008. There are many similarities between Gh0st RAT and Mikroceen, with the main shift between the projects in securing the connection with a certificate.
For more technical details about Mikroceen, read the blog post “Mikroceen: Spying backdoor leveraged in high profile networks in Central Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.