Cybercriminals are using steganography to hide their code and seek industrial data.

Our experts have found traces of activity of a new cybercriminal group that spies on industrial enterprises. The crooks are carrying out targeted attacks, using a tool that our researchers call MontysThree, looking for documents on victims’ computers. The group appears to have been active since at least as far back as 2018.

How MontysThree infects computers

The cybercriminals use classic spear-phishing techniques to penetrate victims’ computers, sending e-mails containing executable files that look like documents in .pdf or .doc format to employees of industrial enterprises. Such files are typically named “Corporate data update,” “Technical specification,” “List of employee phone numbers 2019,” and the like. In some cases, the attackers try to make the files look like medical documents, with names like “Medical analysis results” or “Invitro-106650152-1.pdf” (Invitro is one of the largest Russian medical labs).

What the attackers want

MontysThree preys on specific documents in Microsoft Office and Adobe Acrobat formats located in various directories and on connected media. After infection, the malware profiles the victim’s computer, sending the system version, a list of processes, and desktop snapshots to its C&C server, as well as lists of recently opened documents with the extensions .doc, .docx, .xls, .xlsx, .rtf , .pdf, .odt, .psw, and .pwd in the USERPROFILE and APPDATA directories.

What else MontysThree can do

The authors implemented several rather unusual mechanisms in their malware. For example, after infection, the downloader module extracts and decodes the main module, which is encrypted in a picture using steganography. Our experts believe that the attackers wrote the steganography algorithm from scratch, that they didn’t simply copy it from open-source samples, as is most commonly the case.

The malware communicates with the C&C server using public cloud services such as Google, Microsoft, and Dropbox, as well as WebDAV. In addition, the communications module can make requests through RDP and Citrix. What’s more, the malware creators did not embed any communication protocols in their code; instead, MontyThree uses legitimate programs (RDP, Citrix clients, Internet Explorer).

So as to keep the malware in the victim’s system as long as possible, an auxiliary module modifies the shortcuts on the Windows Quick Launch panel, so when the user launches a shortcut (for example, to a browser), the MontyThree loader module is executed at the same time.

Who are the attackers?

Our experts see no signs linking MontysThree’s creators to past attacks. By all appearances, it is a completely new cybercriminal group, and judging by pieces of text in the code, the authors’ native language is Russian. Likewise, their main targets are most likely Russian-speaking companies; some of the directories the malware rummages through exist only in the Cyrillic version of the system. Although our experts also found account details for communications services that hint at a Chinese origin, they believe those are false flags meant to obfuscate the attackers’ tracks.

A detailed technical description of MontysThree, together with indicators of compromise, is available in our post on the Securelist website.

What to do

For a start, convey to all employees once again that targeted attacks most often begin with an e-mail, so they need to be extremely careful when opening files, especially ones they were not expecting. To make doubly sure they understand why they need to stay alert, we recommend not only explaining the dangers of such behavior, but also fostering skills in countering modern cyberthreats using the [KASAP placeholder] Kaspersky Automated Security Awareness Platform [/KASAP Placeholder].

Moreover, to protect against sophisticated targeted attacks, use integrated security solutions that combine workstation protection, EDR capabilities, and additional tools for analyzing and defeating attacks.