Researcher warns over Moker RAT APT

Malware seeks to avoid detection, bypasses the User Account Control, researchers say.

the SC Magazine UK take:

A new advanced persistent threat (APT) has been discovered by security researchers. Dubbed Moker, the malware is a remote access Trojan that can evade security measures on Windows PC.

The malware was discovered by Israeli security firm enSilo, who gave the Trojan its name. Researchers discovered it hiding on a customer’s network but were not entirely sure how it got there.

The malware creates a new user account in Windows and opens an RDP channel, allowing it to gain complete control over the victim’s device. The researchers said that Moker is able to change important system files, modify security settings and own system processes.

The Trojan has a range of features, including the ability to record keystrokes, capture screenshots, monitor internet traffic, as well as exfiltrate files. Interestingly, Moker also includes a control panel, so that the attacker can run malicious programs locally. According to researchers, this feature is designed to mimic a legitimate user, or has been added by the author for experimental purposes, but is still in the development stage.

Worryingly, the malware is also designed to bypass the User Account Control feature in Windows.

Yotam Gottesman, a senior security researcher with enSilo, said the malware hasn’t appeared on VirusTotal yet. He added that its detection-evasion measures included encrypting itself and a two-step installation.

“Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction,” he said in a blog post.

Researchers have no real idea who is behind this or how it got onto a client’s network. Gottesman said that tests in the lab revealed that under certain circumstances Moker communicated with a server registered in Montenegro. 

“The Montenegro-based server was referred by several other domains registered in African countries. It’s important to note, however, that these registered domains cannot give an indication of the threat actor’s identity or physical location,” he added.

The researchers said that the malware may give other malware creators ideas and encourage them to use similar techniques to avoid detection.

“This case might have been a dedicated attack,” said Gottesman. “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).”

Jonathan Sander, vice president of product strategy at Lieberman Software, told SCMagazineUK.com that the hardest part in dealing with the new malware called Moker is finding it in the first place.

“Using advanced techniques such as breaking its install into stages and code packing to avoid signature based detection, Moker seems to be designed for stealth. It even avoids the need for calling over the network for every instruction,” he said. “Moker can take commands from a built-in control system, which, perhaps even more frightening, means that the attacker has a whole other route into the systems to manipulate those controls locally.”

He added that Moker isn’t groundbreaking so much as it’s rare.

“It’s rare for attackers to put this much effort into malware these days. Since security is so poor, most attackers can buy pre-made malware or construct cheap knockoffs of well-known attacks and that is more than enough to burst through the doors of any perimeter,” said Sander.

Tony Berning, senior product manager at OPSWAT, told SC that to protect against threats such as Moker it is important to deploy several security layers to each data entry point into the organisation.

“No single anti-malware engine will be able to detect 100 percent of threats. By securing each data workflow using multi anti-malware scanning, and other techniques such as file type filtering and file sanitisation, to block potentially dangerous files and remove embedded threats, the chance that malware can get past an organisation's defences is greatly reduced,” he said.

Sagie Dulce, team leader in ADC at Imperva, told SC that what interested him about the malware is that it seems not to rely on any exploits.

“Many users are already privileged on their own machine, making bypassing UAC mechanism more trivial (it is also possible to simply ask the user for elevation). As much attention as exploits get, the trouble with them is that they are costly, complex, and once patched can potentially ruin the campaign. Not using any exploits could mean that the attack can actually go undetected for longer,” he said. 

“This malware proves again that standard security measures (AV, sandboxing etc) fail to address advanced threats. Companies should assume that compromise is inevitable - and focus their money on where it hurts: their data.”

What piqued Gavin Reid’s interest was Moker’s local control interface. The vice president of threat intelligence at Lancope told SC that “while it is hard to understand the benefit of having a local GUI control panel, this is the first malware sample to use it.  Many of the other ‘features’ are found in other malware families.”

He said that the technique for defeating Window’s User Access Control “can and will continue to be abused.”

APT threat actors behind 1 in 3 data breaches
APT threat actors behind 1 in 3 data breaches

A new advanced persistent threat (APT) has been discovered by security researchers. Dubbed Moker, the malware is a remote access Trojan that can evade security measures on Windows PC.

The malware was discovered by Israeli security firm enSilo, who gave the Trojan its name. Researchers discovered it hiding on a customer's network but were not entirely sure how it got there.

The malware creates a new user account in Windows and opens an RDP channel, allowing it to gain complete control over the victim's device. The researchers said that Moker is able to change important system files, modify security settings and own system processes.

The Trojan has a range of features, including the ability to record keystrokes, capture screenshots, monitor internet traffic, as well as exfiltrate files. Interestingly, Moker also includes a control panel, so that the attacker can run malicious programs locally. According to researchers, this feature is designed to mimic a legitimate user, or has been added by the author for experimental purposes, but is still in the development stage.

Worryingly, the malware is also designed to bypass the User Account Control feature in Windows.

Yotam Gottesman, a senior security researcher with enSilo, said the malware hasn't appeared on VirusTotal yet. He added that its detection-evasion measures included encrypting itself and a two-step installation.

“Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction,” he said in a blog post.

Researchers have no real idea who is behind this or how it got onto a client's network. Gottesman said that tests in the lab revealed that under certain circumstances Moker communicated with a server registered in Montenegro. 

“The Montenegro-based server was referred by several other domains registered in African countries. It's important to note, however, that these registered domains cannot give an indication of the threat actor's identity or physical location,” he added.

The researchers said that the malware may give other malware creators ideas and encourage them to use similar techniques to avoid detection.

“This case might have been a dedicated attack,” said Gottesman. “However, we do see that malware authors adopt techniques used by other authors. We won't be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).”

Jonathan Sander, vice president of product strategy at Lieberman Software, told SCMagazineUK.com that the hardest part in dealing with the new malware called Moker is finding it in the first place.

“Using advanced techniques such as breaking its install into stages and code packing to avoid signature based detection, Moker seems to be designed for stealth. It even avoids the need for calling over the network for every instruction,” he said. “Moker can take commands from a built-in control system, which, perhaps even more frightening, means that the attacker has a whole other route into the systems to manipulate those controls locally.”

He added that Moker isn't groundbreaking so much as it's rare.

“It's rare for attackers to put this much effort into malware these days. Since security is so poor, most attackers can buy pre-made malware or construct cheap knockoffs of well-known attacks and that is more than enough to burst through the doors of any perimeter,” said Sander.

Tony Berning, senior product manager at OPSWAT, told SC that to protect against threats such as Moker it is important to deploy several security layers to each data entry point into the organisation.

“No single anti-malware engine will be able to detect 100 percent of threats. By securing each data workflow using multi anti-malware scanning, and other techniques such as file type filtering and file sanitisation, to block potentially dangerous files and remove embedded threats, the chance that malware can get past an organisation's defences is greatly reduced,” he said.

Sagie Dulce, team leader in ADC at Imperva, told SC that what interested him about the malware is that it seems not to rely on any exploits.

“Many users are already privileged on their own machine, making bypassing UAC mechanism more trivial (it is also possible to simply ask the user for elevation). As much attention as exploits get, the trouble with them is that they are costly, complex, and once patched can potentially ruin the campaign. Not using any exploits could mean that the attack can actually go undetected for longer,” he said. 

“This malware proves again that standard security measures (AV, sandboxing etc) fail to address advanced threats. Companies should assume that compromise is inevitable - and focus their money on where it hurts: their data.”

What piqued Gavin Reid's interest was Moker's local control interface. The vice president of threat intelligence at Lancope told SC that “while it is hard to understand the benefit of having a local GUI control panel, this is the first malware sample to use it.  Many of the other ‘features' are found in other malware families.”

He said that the technique for defeating Window's User Access Control “can and will continue to be abused.”