“Researchers over at cybersecurity company enSilo have discovered a novel, powerful and persistent type of malware plaguing the network of one of their customers.
This malware, which they dubbed Moker after the file description in its executable file, is effectively a Remote Access Trojan (RAT) with great anti-detection and anti-debugging features.
Moker takes complete control of the target machine by creating a new user account and opening a RDP channel to gain remote control of the victims device, the researchers explained.
It tampers with sensitive system files and modifies system-security settings, and injects itself into different system processes. It’s also capable of recording keystrokes, taking screenshots, recording web traffic and exfiltrating files. In short, it has a whole gamut of capabilities that come handy to attackers who want to know everything that’s happening on a target machine and beyond.
“Interestingly, Moker did not necessarily need to be controlled from remote,” the researchers found. “A feature of the RAT includes a control panel that enables the attacker to control the malware locally.”
This effectively makes Moker also a Local Access Trojan (LAT). “We think this feature was added either for a threat actor to mimic a legitimate user (say, VPNing into the enterprise and then commanding Moker locally), or was inserted by the malwares author for testing purposes yet remained also in the production version,” they pointed out.
Moker’s detection evasion capabilities include code packing and a 2-stage installation (first a dropper that “prepares” the machine and defeats sandboxes, then the encrypted malicious payload). Anti-virus and anti-virtual machine protection is also included, and the malware is capable of bypassing Windows’ User Access Control (UAC) by exploiting a known design flaw.
Ultimately, and unlike most malware, Moker achieves system privileges.
The malware’s anti-research measures are detailed beautifully in this blog post by enSilo’s Yotam Gottesman, who shared the step-by-step process they went through to defeat them.
“To date, this APT is unknown and does not appear in VirusTotal,” the researchers noted. It is still unknown who might be behind it but its sophistication is an indication that the threat actor invested a lot of resources and effort.
It’s also still unknown how the malware (i.e. the dropper) was ultimately delivered on the target machines.
“This case might have been a dedicated attack. However, we do see that malware authors adopt techniques used by other authors,” the researchers concluded. “We wont be surprised if we see future APTs using similar measures that were used by Moker.””