“Kaspersky lab” has identified a campaign of cyber espionage against industrial predpriiatiia Alexandrov | 09.10.2020
Discovered a set of malicious modules MontysThree, existing since at least 2018 and is intended for targeted attacks on industrial enterprises.
It uses equipment to help avoid detection, including a message from the control and command server using public cloud services and steganography.
MontysThree consists of four modules. The attack begins with the distribution of the Downloader with the help of phishing via self-extracting archives. The names of files in such archives can be associated
with lists of contacts of personnel, technical documentation or results of medical tests. The loader decrypts the main malicious module from a bitmap
with steganography. This applies to a specially developed algorithm.
The main malicious module uses several encryption algorithms to avoid detection, mainly RSA for communication with the control server and to decrypt configuration
data. In these is based on the XML data describes the tasks of the malware: search for documents with specified extensions in the specified directories and removable media. This information
showed that the operators MontysThree interested in Microsoft Office documents and Adobe Acrobat.
In addition, the modules can take screenshots of the desktop to determine whether the victim operators, analyzing its network and local settings, etc. this information is encrypted and
transferred to public cloud services (Google Drive, Microsoft One Drive, Dropbox), using them is getting new files.
MontysThree also uses a simple method to consolidate in the system — the quick launch toolbar the Windows Quick Launch. Users, without knowing, run a primary module
malware every time with this panel open legitimate applications, such as browsers.
The experts found no similarities of this malicious code with code from other targeted campaigns.
“Attacks using tools MontysThree stand out not only because it focused on industrial enterprises (although this is not unique, but they are not the most popular targets for targeted attacks), but
and combination of advanced and Amateur tactics and methods. The level of technical solutions in this set of tools varies considerably. The developers MontysThree use modern reliable
cryptographic standards and customized steganography. The level of development is not as high as for the major APT players, but the authors put a lot of effort into making this set of tools
and continue to develop it, so we assume that they have well-defined objectives and the campaign is short,” — says Denis Legato, senior expert
cybersecurity in the “Kaspersky Lab”.
information security, cyber espionage, corporate information security
Kaspersky lab | Kaspersky Lab