skip to Main Content

Cyber Espionage, MontysThree targets industries with a new toolset

Kaspersky: MontysThree targets industries with a new toolset for cyber espionage purpose. It uses many techniques to evade detection, including hosting its communications with the C2 on public cloud services and hiding the main malicious module with steganography

Cyber espionage group behind MontysThree has been deployed a new toolset to target industries. It has been discovered by Kaspersky cybersecurity experts. Originally named MT3, the malware program consisting of four modules. The first—the loader—is initially spread using RAR SFX files (self-extracted archives) containing names related to employees’ contact lists, technical documentation, and medical analysis results to trick employees into downloading the files—a common spear phishing technique. The loader is primarily in charge of ensuring the malware isn’t detected on the system; to do this, it deploys a technique known as steganography. The main malicious payload uses several encryption techniques of its own to evade detection, namely the use of an RSA algorithm to encrypt communications with the control server and to decrypt the main “tasks” assigned from the malware. This includes searching for documents with specific extensions and in specific company directories. 

The cyber security experts: The malware program is designed to specifically target Microsoft and Adobe Acrobat documents

MontysThree is designed to specifically target Microsoft and Adobe Acrobat documents; it can also capture screenshots and “fingerprint” (i.e. gather information about their network settings, host name, etc.) the target to see if it is of interest to the attackers. The information collected and other communications with the control server are then hosted on public cloud services like Google, Microsoft, and Dropbox. This makes the communication traffic difficult to detect as malicious, and because no antivirus blocks these services, it ensures the control server can execute commands uninterrupted. The malware also uses a simple method for gaining persistence on the infected system—a modifier for Windows Quick Launch. Users inadvertently run the initial module of the malware by themselves every time they run legitimate applications, such as browsers, when using the Quick Launch toolbar.

Back To Top