In February of this year, SixLittleMonkeys, aka Microcin, an APT actor that conducts
cyberespionage campaigns against government bodies and diplomatic entities, was found
downloading a Trojan into a target’s system memory. Kaspersky researchers discovered
that this last-stager (the final stage of an attack when the malicious payload has been
downloaded and begins executing commands on the victim’s device) was utilizing a new
coding style—using an API-like (Application Programming Interface) architecture to
simplify updates of the malware.
Kaspersky researchers discoveredSixLittleMonkeys (aka Microcin) several years ago
targeting government bodies with a backdoor. In addition, the group was able to mask its
malicious activity by using steganography: a process by which data is sent in a concealed
format so that no one is aware any has been downloaded or updated. This makes it harder
for anti-virus products to detect the malicious payloads.
In February of this year, when SixLittleMonkeys was found engaged in active operations
against a diplomatic entity, they were largely using the same toolsetand style—
steganography and library search order hijacking. However, they had made one major step
forward: in the last-stager they were applying enterprise-style coding techniques.
APIs (Application Programming Interface) allow developers to build applications faster and
easier, by creating building blocks for future programs so that code doesn’t have to be developed from scratch. In the case of malware, APIs add an additional layer of efficiency.
Updates or changes can be made that much quicker.
SixLittleMonkeys’ last-stager’s exported API-like function utilizes two callback parameters
(functions to be called back at a later time): pointers to encryptor and logger functions. The former is in charge of encryption/decryption of the C2 (control server) communications and
configuration data. The latter saves the malware’s history of operations into the file. With such an approach, it’s much easier for the authors to change the encryption algorithm or
redirect the logger through a different communication channel.
Another new aspect of Microcin’s latest activity is the use of asynchronous work with
sockets. The sockets in this case are the entities for network communications with the control server. Because they are asynchronous, one operation doesn’t block the other,
meaning all commands are executed.
“This use of an enterprise-grade API-like programming style is something quite rarely
found in malware—even for those involved in targeted campaigns. It demonstrates extensive experience in software development and signifies significant sophistication on
the part of the actor. With such callbacks in their new network module, updating and supporting it is much easier,” comments Denis Legezo, Senior Security Researcher at
Read more about SixLittleMonkeys’ latest activity on Securelist.
To stay safe from attacks by APTs like SixLittleMonkeys, Kaspersky experts recommend:
• Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.