MontysThree APT Takes Unusual Aim at Industrial Targets

The newly discovered APT specializes in espionage campaigns against industrial holdings — a rare target for spyware.

SAS@Home 2020 – A series of highly targeted attacks by an APT group called MontysThree against industrial targets has been uncovered, with evidence that the campaign dates back to 2018.

That’s according to researchers from Kaspersky, who noted that the group uses a variety of techniques to evade detection, including using public cloud services for command-and-control (C2) communications, and hiding its main malicious espionage module using steganography.

Spy attacks on industrial holdings are far more unusual than campaigns against diplomats and other nation-state targets, according to the firm.

Threatpost Webinar Promo Retail Security

Click to Register!

“Government entities, diplomats and telecom operators tend to be the preferred target for APTs, since these individuals and institutions naturally possess a wealth of highly confidential and politically sensitive information,” according to a Kaspersky analysis, issued on Thursday in tandem with its virtual Security Analyst Summit conference, SAS@Home. “Far more rare are targeted espionage campaigns against industrial entities—but, like any other attacks against industries, they can have devastating consequences for the business.”

The APT uses a toolset that it calls MT3, which consists of separate modules. The first—the loader—is initially spread using RAR self-extracted (SFX) archives. These, delivered via email, contain savvy lures related to employees’ contact lists, technical documentation and medical analysis, to trick industrial employees into downloading the files.

The loader obfuscates itself using steganography, which is the practice of hiding electronic information inside images.

“Steganography is used by actors to hide the fact that data is being exchanged,” according to Kaspersky. “In the case of MontysThree, the main malicious payload is disguised as a bitmap file. If the right command is inputted, the loader will use a custom-made algorithm to decrypt the content from the pixel array and run the malicious payload.”

The main malicious payload uses several encryption techniques of its own to evade detection, namely the use of an RSA algorithm to encrypt communications with the control server and to decrypt the main “tasks” assigned from the malware.

Once installed, it sets about searching for documents with specific extensions (MontysThree is designed to specifically target Microsoft and Adobe Acrobat documents) and in specific company directories. It also takes screenshots and fingerprints compromised devices by gathering information about their network settings, host name and so on, to determine if the target is of interest to the attackers.

Meanwhile, C2 communications are hosted on public cloud services like Google, Microsoft and Dropbox, which, as Kaspersky pointed out, makes the communications traffic difficult to detect as malicious.

“Because no antivirus blocks these services, it ensures the control server can execute commands uninterrupted,” according to the firm.

MontysThree also uses a simple method for gaining persistence on the infected system—a modifier for Windows Quick Launch. Users inadvertently run the initial module of the malware by themselves every time they run legitimate applications, such as browsers, when using the Quick Launch toolbar, researchers explained.

“MontysThree is interesting not just because of the fact that it’s targeting industrial holdings, but because of the combination of sophisticated and somewhat amateurish TTPs,” said Denis Legezo, senior security researcher with Kaspersky’s Global Research and Analysis Team, in a posting on Thursday. “In general, the sophistication varies from module to module, but it can’t compare to the level used by the most advanced APTs.”

Despite the less-complex aspects of the campaign, “they use strong cryptographic standards and there are indeed some tech-savvy decisions made, including the custom steganography,” Legezo said. “Perhaps most importantly, it’s clear that the attackers have put significant effort into developing the MontysThree toolset, suggesting they are determined in their aims—and that this is not meant to be a short-lived campaign.”

As far as attribution, that remains a mystery; Kaspersky has not been able to find any similarities in the malicious code or the infrastructure with any known APTs.

Kaspersky researchers will be presenting technical details on the MontysThree toolset as well as more information on targeting and other aspects of the campaign during SAS@Home on Thursday; Threatpost will update this posting with more information as it surfaces.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.


Suggested articles