MirageFox RAT
The MirageFox RAT is a Remote Access Trojan that's an update of Mirage, a threat noted for targeting military and energy industry networks. As with Mirage, the MirageFox RAT helps attackers control your computer over a network connection and new features such as a DLL loading technique. Monitoring e-mail communications may prevent attacks through spear-phishing attempts, and anti-malware solutions should identify and delete the MirageFox RAT appropriately.
Trojan Foxes Breaking into Costly Chicken Coops
Mirage is just as much a name for an infamous backdoor Trojan as a threat actor, APT15. However, this supposedly China-affiliated hacking organization (also known under the Ke3chang alias) isn't one for resting on its laurels. The MirageFox RAT is a distinctive update to the previous Mirage Trojan, with all of the same perils for victims, but an extra dose of obfuscation.
The MirageFox RAT's first campaign most likely began in mid-2018, replacing the years-old Mirage Trojan partially. Conventional targets for its threat actor include diplomatic embassies, militaries and energy companies. In most attacks, the MirageFox RAT or similar Trojan isn't the first-stage payload; Ke3chang uses more-generic tools for infiltration before dropping their more-specialized ones.
Although the MirageFox RAT includes code that links it to Mirage and Reaver, it also is highly successful at evading heuristic detection attempts. An example of its stealth mindset is its use of a (now widely abused) DLL-hijacking tactic that 'tricks' a legitimate AV binary into loading corrupted components.
The MirageFox RAT also has a fairly-unusual absence of system persistence across reboots. Users shouldn't consider this choice a weakness. Any case of deploying a MirageFox RAT will also involve the threat actor's having other ways of accessing the network and issuing commands to infected PCs.
Shaking Off a Deadly Mirage before It Happens
Employee education on protecting themselves from phishing attacks will prevent many incidents related to the MirageFox RAT's threat actor. In most events, victims should anticipate e-mail messages with custom information related to their workplace or industry, usually with file attachments or obfuscated links. After this opening infiltration, Ke3chang may drop various RATs or backdoor Trojans like the MirageFox RAT in search of intelligence to exfiltrate.
The MirageFox RAT uses a shell with generous features for accomplishing the above goal, such as auto-uploading system architectural data, self-terminating for avoiding detection, or editing files on the PC according to manual commands. It also is possible that the MirageFox RAT is persistent, but implements the feature through a module or other component. Users aren't even safe after disinfecting their PCs necessarily, thanks to Ke3chang's tendency for re-compromising targets by any means necessary.
However, disinfection, along with preventing C&C network contact, is a significant portion of cyber-security triage after a MirageFox RAT infection. For ensuring safety as much as possible, users should let their dedicated anti-malware products flag and remove the MirageFox RAT, and contact their network administrators immediately.
As a metaphorical finger on the pulse of a victim's computer, the MirageFox RAT is a 2017-era modernization of an ancient tool. The fact that some of its methods are still in play in 2020 speaks well to just how thoroughly APT15 understands the territory of spying in the age of network computing.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.