Our experts have found traces of activity of a new cybercriminal group that spies on industrial enterprises. The crooks are carrying out targeted attacks, using a tool that our researchers call MontysThree, looking for documents on victims\u2019 computers. The group appears to have been active since at least as far back as 2018.<\/p>\n
The cybercriminals use classic spear-phishing techniques to penetrate victims\u2019 computers, sending e-mails containing executable files that look like documents in .pdf or .doc format to employees of industrial enterprises. Such files are typically named \u201cCorporate data update,\u201d \u201cTechnical specification,\u201d \u201cList of employee phone numbers 2019,\u201d and the like. In some cases, the attackers try to make the files look like medical documents, with names like \u201cMedical analysis results\u201d or \u201cInvitro-106650152-1.pdf\u201d (Invitro is one of the largest Russian medical labs).<\/p>\n
MontysThree preys on specific documents in Microsoft Office and Adobe Acrobat formats located in various directories and on connected media. After infection, the malware profiles the victim\u2019s computer, sending the system version, a list of processes, and desktop snapshots to its C&C server<\/a>, as well as lists of recently opened documents with the extensions .doc, .docx, .xls, .xlsx, .rtf , .pdf, .odt, .psw, and .pwd in the USERPROFILE and APPDATA directories.<\/p>\n The authors implemented several rather unusual mechanisms in their malware. For example, after infection, the downloader module extracts and decodes the main module, which is encrypted in a picture using steganography<\/a>. Our experts believe that the attackers wrote the steganography algorithm from scratch, that they didn\u2019t simply copy it from open-source samples, as is most commonly the case.<\/p>\n The malware communicates with the C&C server using public cloud services such as Google, Microsoft, and Dropbox, as well as WebDAV. In addition, the communications module can make requests through RDP and Citrix. What\u2019s more, the malware creators did not embed any communication protocols in their code; instead, MontyThree uses legitimate programs (RDP, Citrix clients, Internet Explorer).<\/p>\n So as to keep the malware in the victim\u2019s system as long as possible, an auxiliary module modifies the shortcuts on the Windows Quick Launch panel, so when the user launches a shortcut (for example, to a browser), the MontyThree loader module is executed at the same time.<\/p>\n Our experts see no signs linking MontysThree\u2019s creators to past attacks. By all appearances, it is a completely new cybercriminal group, and judging by pieces of text in the code, the authors\u2019 native language is Russian. Likewise, their main targets are most likely Russian-speaking companies; some of the directories the malware rummages through exist only in the Cyrillic version of the system. Although our experts also found account details for communications services that hint at a Chinese origin, they believe those are false flags meant to obfuscate the attackers\u2019 tracks.<\/p>\n A detailed technical description of MontysThree, together with indicators of compromise<\/a>, is available in our post on the Securelist website.<\/p>\n For a start, convey to all employees once again that targeted attacks most often begin with an e-mail, so they need to be extremely careful when opening files, especially ones they were not expecting. To make doubly sure they understand why they need to stay alert, we recommend not only explaining the dangers of such behavior, but also fostering skills in countering modern cyberthreats using the Kaspersky Automated Security Awareness Platform<\/a>.<\/p>\n\nWhat else MontysThree can do<\/h2>\n
Who are the attackers?<\/h2>\n
What to do<\/h2>\n