MontysThree is the name given by malware experts to a threatening toolset written in C++ comprised of several different modules. The name was derived from the 'MT3' designation that was given to the toolset by its criminal creators. The toolset was observed to be used as part of a highly-targeted attack campaign. According to the researchers, the threat actor behind the attack is a newly discovered hacker collective, as none of the malware tools nor the tactic, techniques, and procedures (TTPs) could be matched with those attributed to already known Advanced Persistent Threat (APT) actors. A peculiar aspect of this new hacker collective's operations is that it is involved in targeted corporate espionage and not the usual activities of state-sponsored APTs, which focus more on telecommunication companies, diplomats or governmental entities.
There is plenty of evidence that MontysThree is designed for corporate espionage against companies located in Russia or, at least, ones based in Russian-speaking countries. The infosec researchers uncovered that multiple modules contain text strings in Russian or look for directories that exist only on Cyrillic-localized Windows systems. The hackers may have attempted to mislead any potential researchers by implementing email-based accounts in MontysThree's communication that pretend to be of Chinese origin.
MontysThree is Equipped with Custom Steganography and a Complex Encryption Scheme
The toolset displays numerous unique characteristics making it a rather rare threat among the other threatening tools out there. First, it consists of several modules, each one responsible for specific tasks:
- Loader Module - Manages the extraction of the steganography-encrypted data from the bitmap image carrying it. The decrypted result is dropped to the disc as a file named 'msgslang32.dll.'
- Kernel Module - Contains RSA and 3DES encryption keys used for configuration decryption and during communication with the Command-and-Control (C2, C&C) infrastructure. It also carries out the data collection by obtaining certain system details such as OS version, process list and capturing screenshots. It also procures a list of the targeted user's latest documents from recent document directories located in %USERPROFILE% and %APPDATA%. One specific folder that is checked is %APPDATA%\Microsoft\Office\Последние файлы.
- HttpTransport Module - Located inside the Kernel mobile, the HttpTransport module is tasked with the exfiltration of the collected information. It can download or upload data through the RDP, Citrix, WebDAV and HTTP protocols. It should be noted that the protocols are not implemented as part of the module, and instead, legitimate Windows programs are exploited - Internet Explorer, RDP and Citrix clients. The module also can download data from public Cloud services such as Google and Dropbox through user tokens.
- LinkUpdate - Responsible for achieving persistence on the compromised machine by modifying '.lnk' files in the Windows Quick Launch panel.
MontyThree Spreads through Phishing Attacks
The modular MontyThree toolset is delivered inside self-extracting RAR archives. The names of these poisoned archives are designed to attract the attention of Russian-speaking users. The hackers use variations of 'corporate info update' or 'medical analysis results.' One file was named 'Список телефонов сотрудников 2019.doc' (Employee Phone list) while others were simply 'Tech task.pdf' or 'invitro-106650152-1.pdf' (Invitro is the name of a Russian medical laboratory).