MirageFox Malware
Researchers at Intezer have published their findings on a threat-group APT15 (also known as Vixen Panda, Ke3chang, Royal APT, and Playful Dragon) that is running a new campaign using an old tool that has been updated. The tool in question, Mirage, has been observed in use by Chinese government affiliated groups in the past.
This new version, MirageFox, appears to have been compiled on June 8, 2018. Once installed and running, the malware sends information about the infected system back to the CnC (Command and Control) server, such as the username, CPU information, architecture, as well as other information. It then proceeds to wait for commands from its CnC to execute. One interesting aspect of this campaign is that the CnC used has an internal IP address (192.168.0.107). Intezer reasoned that the organization’s network had already been compromised and that the group was using a VPN to connect to the organization’s internal network.
There is high confidence that MirageFox can be attributed to APT15 due to code and other similarities in the MirageFox binaries. As is known about APT15, after infiltrating their target, they conduct a lot of reconnaissance work, send the commands from the C&C manually, and will customize their malware components to best suit the environment they have infected.
Read the full report here
Domains
buy.healthcare-internet.com ( RoyalAPT C&C )
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.