ATP group MontysThree uses MT3 toolset in industrial cyberespionage
The age of cyber spying
Targeted malware is often an issue for officials such as diplomats and telecom operators. In rare cases, industries become a target, which is known as industrial cyberespionage. One advanced threat protection (ATP) group, MontysThree, used its MT3 toolset to conduct industrial cyberespionage. This type of espionage is not merely a plot device used in James Bond films or sci-fi novels — it is a real threat in the world today.
What is MontysThree?
MontysThree is an ATP group in operation since 2018 or earlier. This group is believed to be focused on targets in Russia, and no attacks have yet occurred in the U.S. Targets have only been in Russia or in countries that speak Russian. The MontysThree toolset seeks out directories that are on Cyrillic-localized editions of Windows (Cyrillic is a script used in various nations such as Russia or Ukraine). More to this point, a typical file searched for by its toolset is named Список телефонов сотрудников 2019.doc. This group is considered a hacker collective.
MontysThree uses several different techniques to avoid detection, such as steganography and public cloud infrastructures for their command and control (C2) servers. Another example of this group using a smokescreen to hide its presence is the recent implementation of email-based accounts pretending to be Chinese in origin. While still behind other APTs in terms of skill, these techniques contribute to its success.
There is also ample evidence that MontysThree is exclusively an industrial cyberespionage group. According to Kaspersky Lab (who uncovered the MT3 toolset), MontysThree primarily steals recent documents, such as Adobe Acrobat and Microsoft Word files, as well as documents stored on removable drives. Plus, MontysThree’s targets are corporate industrial entities, so you can assume to be looking at an industrial cyberespionage APT.
What is MT3?
MT3 is the name of the multi-module toolset, written in the C++ language, used by MontysThree during its highly targeted attack campaigns. It is initially spread to its victims via targeted spearphishing email campaigns containing malicious files disguised as important files such as contact lists, technical papers and medical documents. Once these documents are opened, the loader uses steganography to conceal malicious code in images such as bitmap file types. The toolset is delivered inside RAR archives, which are self-extracting and native to Windows.
MT3 is comprised of four modules:
- Loader module — This module is what manages the extraction of the malicious code that was hidden with steganography in the image file. The extraction is saved locally to the targeted user’s system as ‘msgslang32.dll’
- Kernel module — Responsible for configuration decryption, C2 infrastructure communication (RSA and 3DES keys) and data collection for details like system information and a list of the latest documents
- HttpTransport Module — This module is responsible for the information exfiltration by both downloading and uploading data using RDP, Citrix, HTTP and WebDAV protocols. These protocols are not part of the module itself. Instead, it exploits the legitimate Windows program on the target system. It can also download data from Google and Dropbox through user tokens. This is possible because no antivirus will block these services, doing the heavy lifting for MT3’s communication with its C2
- LinkUpdate — Archives persistence by modifying .lnk files located in Windows Quick launch on the compromised system
After an infection
Once the malicious file is opened, the payload remains disguised within the image file (bitmap). It then takes a command inputted into the loader before a custom algorithm decrypts the payload from the pixel array. After this occurs, the payload can evade detection with the use of several encryption techniques such as encrypting communications with its C2 by using an RSA algorithm, which is hosted in the cloud.
With detection evasion running interception, MT3 then begins its primary purpose of locating certain Adobe Acrobat and Microsoft Word documents. It also steals information about network settings, screenshots, hostnames and other data. Once it has captured the documents and information from the compromised system, it exfiltrates them to the C2 server hosted in the cloud with the use of the HttpTransport module.
While performing its dirty work, persistence is achieved by using a Windows Quick Launch modifier. When users of the infected machine run legitimate applications using the Windows Quick Launch Toolbar, they will be inadvertently running the initial MT3 module.
MontysThree is here to stay
MontysThree is an industrial cyberespionage APT that goes after targets in Russia and the Russian-speaking world. It carries out its cyberespionage campaigns by using its MT3 toolset to locate and steal Adobe Acrobat, Microsoft Word and other information on compromised systems. MontysThree initially infects the system through spearphishing campaigns with malicious scripts hidden within image files such as bitmap. While this group has been identified as being below the skill level of other APT groups, it makes up for this by using several techniques to evade detection and stays persistent in reaching its goal.
Industrial Espionage Campaign Uncovered. Bank Info Security UK.
MontysThree APT Take Unusual Aim at Industrial Targets. Threat Post.