Kaspersky: Chinese hackers LuckyMouse hit national data center

Chinese flag with Matrix code

Kaspersky Lab has published a report in which it reveals that a Chinese hacking group has attacked the national data center of an unnamed Central Asian country.

The cyberattacks are said to have been carried out by a group known as LuckyMouse -- but also goes by the names Iron Tiger, Threat Group-3390, EmissaryPanda and APT27. The attacks started in 2017, and Kaspersky says that malicious scrips were injected into official website to conduct country-level waterholing campaign.

See also:

Kaspersky says that the group used the HyperBro Trojan remote administration tool to evade antivirus tools between December 2017 and January 2018. The Russian security firm detected the hacking campaign back in March this year. It has opted not to name the country that has been targeted by the hacking group, but says:

Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit's shikata_ga_nai encoder -- although it's available for everyone and couldn't be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse's ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

There is not enough information about for Kaspersky to be able to determine exactly how LuckyMouse managed to attack government websites in order to get the campaign underway, but the company says: "The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware's HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13."

In a blog post about the attacks, Kaspersky's Denis Legezo says that they could be indicative of a new, sneakier breed of hackers:

LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don't bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Image credit: Allexxandar / Shutterstock

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.