According to the researchers, the group conducting these attacks has been active since 2018 and appears to be composed of Russian-speaking members. These hackers have mainly targeted Russian industrial entities so far in efforts to steal confidential data from them.
While the attacks have been ongoing since 2018, researchers said they did not find any evidence to suggest that the group is linked to any other known advanced persistent threats (APT) groups.
The C++ toolset that Kaspersky researchers discovered was originally named MT3 by its operators. The researchers used the same abbreviations (MT3) to name the toolset as "MontysThree".
MontysThree operators have been observed using multiple techniques to evade detection. Some of these techniques include steganography to hide the main malicious espionage module and using public cloud services, such as Google and Microsoft, for C2 communications.
The MontysThree toolset is comprised of four separate modules - loader, the kernel, HttpTransport, and LinkUpdate.
The first module - loader - is responsible for custom steganography and kernel module decryption. It is spread using RAR self-extracted archives that are delivered through phishing emails.
The second module - kernel - which is also the main module - decrypts the config XML, carries out the parsing and also completes other assigned tasks.
HttpTransport is a network module that communicates with legitimate public cloud services as well as with WebDAV sources.
The fourth module, LinkUpdate, is a persistence module.
Once installed on a system, the malware tries to find documents with specific extensions (Microsoft Office and Adobe Acrobat documents) in specific company directories. It can capture screenshots and fingerprints on compromised devices and sends all the information to hackers.
Because the hackers use public cloud services to host C2 communications, it is usually difficult for IT teams to detect the communications traffic as malicious.
According to the researchers, the overall sophistication of MontysThree campaign "doesn't compare to top notch APT actors in terms of spreading, persistence method". But, they do acknowledge that the amount of efforts invested by hackers in MontysThree is significant.
Because UEFI lives within a flash memory chip, any malware injected into it can survive reboots, formats and OS reinstalls
Microsoft is again urging IT admins to patch their systems to protect data from hackers
A failure to curb the growing problem of misinformation could have serious repercussions for the Internet and for society as a whole
The number of ransomware attacks in the second quarter of 2020 was around three times higher than in Q1
The CVE-2020-0688 flaw is being actively exploited in the wild, US federal agencies warned earlier this month