The malicious cyber-group LuckyMouse has scurried out of its hole spreading a previously unknown trojan that is particularly dangerous as it uses a legitimate digital certificate developed by a cyber-security company.
Kaspersky Lab’s Global Research and Analysis Team (GReAT) reported that in addition to the certificate it also uses a proprietary driver that allows the attackers to handle command execution, uploading/downloading files and intercepting traffic.
"The driver became the most interesting part of this campaign. To make it appear trustworthy, the group seemingly stole a digital certificate that belonged to an information security-related software developer, and used this to sign malware samples. This was done in an attempt to avoid being detected by security solutions, since a legitimate signature makes the malware look like legal software," GReAT reported.
LuckyMouse has focused its efforts on political entities in South Eastern and Central Asia and the activity with nation-state backed cyber-espionage. GReAT noted that LuckyMouse’s activity level increases just before major events, such as world leaders gathering for a summit and the research group stated LuckyMouse is a Chinese language speaking threat actor.
Although GReAT did not say LuckyMouse activity was in preparation for these events the United Nation’s General Assembly takes place in New York City from 18-25 September and the G20 Summit will be held from 30 November – 1 December in Buenos Aires.