Russian-speaking hackers use 'MontysThree' toolset on industrial targets

The attacks have been ongoing since 2018

Researchers from cyber security firm Kaspersky claim to have discovered a new multi-module malware toolset that is being used by hackers to launch targeted attacks against industrial holdings.

According to the researchers, the group conducting these attacks has been active since 2018 and appears to be composed of Russian-speaking members. These hackers have mainly targeted Russian industrial entities so far in efforts to steal confidential data from them.

While the attacks have been ongoing since 2018, researchers said they did not find any evidence to suggest that the group is linked to any other known advanced persistent threats (APT) groups.

The C++ toolset that Kaspersky researchers discovered was originally named MT3 by its operators. The researchers used the same abbreviations (MT3) to name the toolset as "MontysThree".

MontysThree operators have been observed using multiple techniques to evade detection. Some of these techniques include steganography to hide the main malicious espionage module and using public cloud services, such as Google and Microsoft, for C2 communications.

The MontysThree toolset is comprised of four separate modules - loader, the kernel, HttpTransport, and LinkUpdate.

The first module - loader - is responsible for custom steganography and kernel module decryption. It is spread using RAR self-extracted archives that are delivered through phishing emails.

The second module - kernel - which is also the main module - decrypts the config XML, carries out the parsing and also completes other assigned tasks.

HttpTransport is a network module that communicates with legitimate public cloud services as well as with WebDAV sources.

The fourth module, LinkUpdate, is a persistence module.

Once installed on a system, the malware tries to find documents with specific extensions (Microsoft Office and Adobe Acrobat documents) in specific company directories. It can capture screenshots and fingerprints on compromised devices and sends all the information to hackers.

Because the hackers use public cloud services to host C2 communications, it is usually difficult for IT teams to detect the communications traffic as malicious.

According to the researchers, the overall sophistication of MontysThree campaign "doesn ' t compare to top notch APT actors in terms of spreading, persistence method". But, they do acknowledge that the amount of efforts invested by hackers in MontysThree is significant.