MontysThree

MontysThree is modular spyware that collects information from the user's PC by multiple methods, including taking screenshots and exfiltrating documents. The threat's configuration suggests that most targets are Russian and include companies in the industrial sector currently. Users can block or delete MontysThree with traditional anti-malware products and may watch for some symptoms, such as changes to their Link (LNK) files.

The New Spying Software Kept in a Carefully-Concealed Grip

Trojans and other threats breaching industrial companies' security always is a notable event, well exemplified by dangers as recent as the Milum RAT and as old as Shamoon. MontysThree, a recently-identifiable case in point, goes one step further than most by displaying unique code, infrastructure, and campaign behavior that suggests the hands of a totally-new threat actor. Although Russian victims in the relevant industry are more likely victims than most, malware experts find no rigid geographical restraints on most of MontysThree's data-collecting features.

MontysThree is spyware with a heavily-modular design that separates its components into bins such as a hackers' command processor, loaders for other elements, data encryption handlers, and HTTP network communications. Altogether, malware analysts find that its default features focus on exfiltrating data from victims, with additional infrastructure support for long-term persistence. Thus, being spyware, typical data that MontysThree might collect includes:

• System statistics such as the Windows version (for further exploitation by attackers).
• Documents or spreadsheets, especially recently-opened ones, including Microsoft Office and Adobe PDF content, for example.
• Anything visible in a screenshot, which MontysThree may capture and upload automatically.

Its core attacks are less intriguing than MontysThree's preferential targeting of Cyrillic text folders, making it likely that current targets are all Russia-based. The unknown threat actor may also share the operating region since some internal strings suggest that the attacker is coding in Russian. Its campaign's phishing techniques use a mixture of Russian and English language themes, all of which imply that the targets are workplace environments whose employees might open a fake lab report, employee phone number list, etc.

Threats Combining Unusual Sophistication with Equal Clumsiness

More of the technicalities about MontysThree's distribution, persistence, and other traits not of immediate concern to victims reveals a surprisingly mixed bag of the threat actor's competency. MontysThree uses an oddly-primitive persistence method that involves editing Windows Link files and adding itself to them, questionable internal encryption choices, and network communications based on keyboard shortcut combinations. However, many other parts of the spyware toolkit's components are more robust, such as the custom steganography for obfuscation.

Although MontysThree's espionage goals are in line with the attacks arranged with RATs or backdoor Trojans' aid primarily, its threat actor opts for another tactic. Using LOLbin or living-off-the-land ideology, the attackers take advantage of default tools like Cuse most of their network Command & Control requirements. Even C&C networking strictly uses legitimate cloud storage companies' servers instead of custom Web domains.

Among all its oddities, no one should forget that MontysThree's goal is collecting data without drawing the user's attention. Reliable anti-malware protection is essential for deleting MontysThree as soon as possible before any intelligence is lost.

MontysThree has quite some time before it becomes as noteworthy to Trojan history as the infamous disk-wipers of yore. Since its targets are industrial, there's every possibility that its still-ongoing story will be worth remembering.