The Mikroceen (known in Russia as Microcin) malware is a RAT (Remote Access Trojan) that has been operating since 2017. The majority of the Mikroceen campaigns are concentrated in Central Asia. However, this threat also has been identified in systems located in Russia, Belarus and other countries. The Mikroceen malware allows the attackers to carry out reconnaissance, data collection and remote control operations on the compromised system. The Mikroceen RAT has been used against targets in both public and private sector.
Malware researchers are yet to identify the infection vector used in the propagation of the Mikroceen Trojan. The authors of the Mikroceen threat have made sure it is deployed with the help of a pre-made batch script. The script in question allows the Mikroceen RAT to gain persistence on the infected system. The Mikroceen malware gains persistence by creating a bogus Windows service named ‘Windows Upload Manager.’ The fake service is set up to run every time the compromised system is rebooted. The Mikroceen threat registers each of the affected users by using a uniquely generated victim ID, a password and a random username. It is likely that the authors of the Mikroceen malware are using a password to prevent a competitor or the authorities from taking over their servers and infrastructure.
When the Mikroceen malware compromises a system, it will connect to the C&C (Command & Control) server of the attackers and begin receiving commands. The commands appear to be short and obfuscated heavily. The Mikroceen Trojan is capable of:
- Running new processes.
- Listing files and directories present on the system.
- Executing remote commands.
- Uploading files on the infected host.
- Collectling files from the infected host.
Malware researchers have identified other threats present on systems compromised by the Mikroceen RAT – a Trojanized copy of theMimikatz password recovery application and the Gh0st RAT.
During the three years of activity, the Mikroceen malware has received several updates. This means that the Mikroceen RAT is not an abandoned project, certainly and its creators are still developing it to this day. To protect your PC from threats like the Mikroceen Trojan, make sure to install a reputable anti-malware suite.