APT15, an information cracking group that’s possibly linked to an organization in China, has developed a new malware strain that infosec experts from top security research firm Intezer claim borrows code from older tools. The group has been active since at least 2010-2011, and it therefore has a fairly large library of code from which to draw on.
Since it tends to conduct espionage campaigns against defense and energy targets, APT15 has maintained a fairly high profile. Crackers from the group used backdoor vulnerabilities in British software installations to hit UK government contractors back in March.
Their most recent campaign involves something that security experts are calling MirageFox, since it’s apparently based on a 2012 vintage tool called Mirage. The name seems to come from a string found in one of the modules that powers the cracking tool.
As the original Mirage attacks used code to create a remote shell as well as decryption functions, it could be used to gain control of secure systems regardless of whether they were virtualized or running on bare metal. Mirage itself also shared code with cyberattack tools like MyWeb and BMW.
These too have been traced to APT15. A sample of their newest tool was compiled by DLL security experts on June 8 and then uploaded to VirusTotal a day later. This gave security researchers the ability to compare it to other similar tools.
MirageFox uses an otherwise legitimate McAfee executable file to compromise a DLL and then hijack it to allow arbitrary code execution. Some experts believe that this is done to take over specific systems that manual command and control (C&C) instructions can then be transmitted to.
This would match the pattern that APT15 used in the past. A representative from Intezer has even stated that constructing customized malware components designed to best suit the compromised environment is how APT15 usually does business, so to speak.
Previous tools utilized an exploit present in Internet Explorer so that the malware could communicate with remote C&C servers. While a list of affected platforms is not yet available, it appears that this specific malware is very specialized and therefore doesn’t seem to pose a threat to most types of end-users.