FireEye, Microsoft, Cisco team up to take down RAT-flinging crew
Tired of living in the, er, Shadow of Moudoor
Security vendors have teamed up to fight a prolific cyber-espionage group thought to be based in China.
The hacking crew has been targeting finance, education, government, policy groups and think tanks for around four years since 2010. One of its main tools is Moudoor, a derivative of the infamous Gh0st RAT (remote access tool).
Moudoor infections usually begins with the exploitation of zero-day vulnerabilities through so-called watering hole attacks. The hackers attempt to target the systems of visiting surfers from a targeted organisation by planting malicious code on third-party websites likely to be popular with prospective marks. These sites could be anything from local sports teams to sector-relevant portals. The malicious code then plants exploits that rely on as-yet-unpatched vulnerabilities, hence the zero-day tag.
A Coordinated Malware Eradication campaign led by analytics outfit Novetta, in cooperation with other security vendors – particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft, F-Secure and Symantec – has sought to disrupt or otherwise frustrate the operations of the hacking crew. This is being pushed through coordinated detection and remediation of the malware the cyberspies are using to steal technology and gather intelligence.
Moudoor works along another strain of malware, dubbed Hikiti, which is more directly involved in controlling compromised systems, as a blog post by Microsoft explains.
"Hikiti’s main payload... acts as a backdoor to give a malicious hacker access to download and run remote commands to control the system and steal sensitive information," Microsoft security researchers Francis Tan Seng and Holly Stewart write.
A more comprehensive report covering the family of malware as well additional insight into attribution is due to be released by the coalition on 28 October. In the meantime, a brief run-down on the coalition and links to preliminary analyses of malware involved in the attack can be found here. ®