Mikroceen
Mikroceen is a family of Remote Access Trojans (RATs). Mikroceen provides functionality for letting attackers control your computer and experiences deployment in targeted attacks against corporate and government entities in Asia, typically. Users should remain mindful of potential phishing attacks that could serve it and have their anti-malware solutions uninstall Mikroceen as soon as possible after infection.
Sniffing Out a Whole Family of RATs
Recently-revealed connections between the supposedly-disparate activities of the Vicious Panda APT, attacks wielding the BYEBY backdoor Trojan, and a Russian-compromising threat with the name of Microcin are painting a clearer, overarching picture. C&C infrastructure and other similarities are suggesting that each attack is using a variant of a joint family whose updates, primarily, concern themselves with identity concealment. Mikroceen is the label for this group of RATs, which operate as limited but potent tools for delivering systems over to remote spies.
The common ground in various incidents (such as the attacks against the Belarussian government and Vicious Panda's Mongolian campaign) includes near-identical C&C decryption configuration formats, similar command syntax, and shared third-party tools. Among the latter, malware experts note the password collector, Mimikatz, the WMI (Windows Management Instrumentation), and, unusually, the Gh0st RAT. That last Trojan offers similar features to Mikroceen and raises the question of whether one is serving as a 'backup' to its partner.
A crucial difference between the older Gh0st RAT and Mikroceen is the second Trojan's much more 'simple' and limited control panel. This UI gives attackers (Vicious Panda, or other threat actors) control over the infected Windows machine via a command-input interface. Unlike the Gh0st RAT, Mikroceen can't directly load features such as logging keystrokes or a remote shell. However, attackers can accomplish equivalent functionality through the appropriate commands, with the more obvious ones, including uploading or downloading files, or executing them.
Breaking a Long-Distance Computer Snoop's Binoculars
In some cases, Mikroceen's admins are guilty of committing surprisingly basic mistakes over their operational security, such as not protecting file directories or non-deployed utilities. Still, they also show reasonable concern over their 'privacy' and implement notable password protection against any botnet hijacking efforts. Furthermore, Mikroceen's family includes various means of obfuscation, including updates for (unsuccessfully) hiding the names and purposes of the RAT's commands.
Vicious Panda campaigns can craft custom RTF documents and e-mail phishing messages specific to each target, and this tactic is one possible way of Mikroceen's spreading. Updates to document-reading software for cutting down on vulnerabilities, and turning macros off, will help prevent many of the most commonplace drive-by-download exploits. Malware researchers recommend that workers in at-risk environments (government networks, energy, and media) be highly cautious concerning e-mail attachments or links.
Disabling network connections will prevent attackers from using this RAT for further controlling the computer. The usual anti-malware services also may delete Mikroceen safely, or block corrupted documents that could distribute it.
Mikroceen is a throwback RAT that's primitive oddly, but, perhaps, best shows its attacker's mindset and priorities. As long as a Trojan 'gets the job done,' it doesn't need to be fancy – even if it involves spying.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.