LuckyMouse Hackers Target Banks, Companies and Governments in 2020

2021-05-04 06:08

The malicious activity, collectively named "EmissarySoldier," has been attributed to a threat actor called LuckyMouse, and is said to have happened in 2020 with the goal of obtaining geopolitical insights in the region.

"In order to compromise victims, LuckyMouse typically uses watering holes, compromising websites likely to be visited by its intended targets, ESET malware researcher Matthieu Faou said in a report published today."LuckyMouse operators also perform network scans to find vulnerable internet-facing servers run by their intended victims.

What's more, ESET also observed LuckyMouse infections on an unspecified number of internet-facing systems running Microsoft SharePoint, which the researchers suspect occurred by taking advantage of remote code execution vulnerabilities in the application.

Regardless of the method used to gain an initial foothold, the attack chain culminates in the deployment of custom post-compromise implants, SysUpdate or HyperBro, both of which leverage DLL search order hijacking to load malicious payloads and thwart detection.

"The trident model features a legitimate application vulnerable to DLL hijacking, a custom DLL that loads the payload, and a raw Shikata Ga Nai-encoded binary payload," Faou noted.

"This may be an indicator that the threat actors behind LuckyMouse are gradually shifting from using HyperBro to SysUpdate.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/Y7CPVO3mJQI/luckymouse-hackers-target-banks.html

#bank #hacker