LuckyMouse attacks on government networks & private companies
ESET unveils EmissarySoldier: The team campaign APT LuckyMouse attacks government networks and private companies (telecommunications, media and banks) in Central Asia and the Middle East
• The research included in the Report of the global cybersecurity company ESET on the Public Sector and which incorporates opinions of the European Commission, the CERN and Europol, was recently presented at a virtual conference for ESET Europe Cyber Security Day.
• The biggest challenge and common enemy for all governments is the Advanced Persistent Threat Groups (APT).
The European Union's cybersecurity strategy, like the strategy of all governments internationally, is challenged not only by the adoption of the "digital by default" principle, but also by the COVID-19 pandemic, by the mass application of teleworking (from home), as well as threats such as cyber espionage, ransomware and supply-chain attacks. But the biggest challenge of all, and a common enemy for all governments, is the Advanced Persistence Threat (APT) teams.
APT teams utilize sophisticated tools
ESET's global Public Sector's report on public sector was recently presented at a virtual conference for ESET Europe Cyber Security Day. The report examines the potential threats posed by APT teams, highlights their complex nature, and focuses on the EmissarySoldier campaign, a malicious campaign launched by the APT LuckyMouse team using the SysUpdate toolkit to attack machines, some of which ran Microsoft SharePoint application.
This analysis by the LuckyMouse team looks at the relatively unknown SysUpdate toolkit - the first samples of which were discovered in 2018. Since then, the toolbox has seen various stages of development. The LuckyMouse team installs its malware using a three-component strategy: a legitimate application vulnerable to DLL infringement, a custom DLL file that loads a malicious file, and a raw binary payload file encrypted by the Shikata Ga Nai algorithm.
Overview of the three-element model
Because SysUpdate's modular architecture allows its operators to limit exposure to malicious objects at will, ESET researchers have not been able to recover any malicious part and believe that this will be a constant challenge in future analyzes. However, the LuckyMouse team increased its activity in 2020, possibly going through an update process where various functions were gradually integrated into the SysUpdate toolkit.
Monitoring the evolution of tools used by APT teams, such as the LuckyMouse team, is a key concern, as governments have a responsibility to ensure stability for citizens, the business environment and cooperation with other nation-states. These governance tasks are threatened as LuckyMouse and other APT teams, including government agencies and their affiliates, target broad collaboration platforms such as Microsoft SharePoint and digital services.
The Public Sector in focus
In 2020 and 2021, several ESET research collaborations matured, including collaborations with the European Organization for Nuclear Research (CERN), the European Police Office (Europol) and the French Information Systems Security Agency (ANSSI). As highlighted in the virtual event and in the report, governments and their IT infrastructure are considered to be the default targets.
According to the report, technology experts must continue to support governments in closing security gaps and monitor the tactics, techniques and procedures of APT teams through the various Endpoint detection and protection technologies available to them.