Newly Discovered APT Boasts Remote Access Tool, Anti-Detection Techniques

Researchers from Kaspersky Labs recently warned about a new Advanced Persistent Threat, or APT, that includes a powerful Remote Access Tool (RAT) with the ability to mitigate nearly all current IT security measures while granting full administrative access to the infected system from anywhere in the world. Although this dangerous malware variant was first reported on Kaspersky’s Threat Post blog, the malware was actually discovered by an Israeli cybersecurity startup company called enSilo. These researchers have dubbed the malicious program Moker and the threat was originally discovered on one of enSilo’s customer networks. Even enSilo isn’t sure how the malware found its way into the customer’s network in the first place but the fact remains that this is a dangerous piece of software that could literally destroy a network in seconds if the hackers behind this malware deployment so chose.

Until researchers from enSilo stumbled upon Moker, almost nothing was known about the malware at all, suggesting that Moker hasn’t even appeared on VirusTotal yet – another clue as to just how pervasive this threat could actually be despite limited knowledge and very few live sightings. In fact, the enSilo discovery is currently the only known version of Moker in the wild at this time. That said, hundreds, perhaps even thousands, of other systems around the world could be infected with Moker that have simply not be discovered yet. Why is Moker so difficult to detect? Most likely, it’s because whoever designed Moker went to great lengths to ensure that the malware would be very difficult to detect. Moker is extremely skilled at avoiding detection by all modern anti-malware security tools.

According to security researchers, Moker is capable of bypassing all current antivirus software, sandboxing techniques, and virtual machine deployments.

Perhaps more startling is the fact that Moker also uses an advanced technique designed to exploit a Windows design flaw in the User Account Control feature of modern Windows releases. This feature is designed to notify users anytime a program attempts to make any system changes that require administrative-level permission to execute. Aside from these powerful anti-detection mechanisms, Moker also has the ability to avoid  dissection by security researchers using an assortment of anti-debugging techniques specifically designed to prevent malware dissection in an attempt to deceive security researchers even further. According to a security researcher from enSilo, Moker protects itself from dissection by intentionally evading debugging techniques popular among security analysts while simultaneously adding complex code and instruction sets with the intent of leading researchers in the wrong direction.

To say that Moker is a well-thought out and engineered piece of malware would be an understatement as this malware variant uses so many advanced techniques that it’s a miracle that enSilo was able to detect the malware at all. Once Moker has found its way into a system, the Remote Access Tool could become a serious headache for network admins overseeing the infected network. The attackers behind this campaign can take full control of the infected network; performing such nefarious tasks as taking screenshots, recording incoming and outgoing Web traffic, logging keystrokes, and copying sensitive files.

moker apt

The malware could also be leveraged to create new user accounts (even accounts with admin privileges), modify system settings, and even inject malicious code to the machine in real time. While it’s still unclear what individual or group is behind the Moker campaign, enSilo was able to determine that the malware communicates with a C&C server based in Montenegro – a small Balkan nation neighboring Serbia and Kosovo. Researcher admit that this server could have been chosen to throw off any efforts to track down those responsible for Moker but at this time, no definitive answer exists. Another interesting component of this dangerous malware variant is that the RAT doesn’t necessarily need to communicate with an external C&C server to operate. Unlike most malware infections that require constant instructions from a centralized location controlled by the hackers, Moker is capable of receiving commands from within the infected local network via a hidden control panel.

At this point, researchers assume that this functionality was built into Moker to allow a hacker to VPN into the affected system in an attempt to further mask the true location and identity of the group behind this APT. That said, it’s also possible that this feature was put into the RAT as a testing tool during the development phase of the malware.  Even though Moker has only been spotted in a one network as a live deployment at the time of this writing, researchers at Kaspersky an enSilo caution that the techniques leveraged by this dangerous piece of malware could be at work in countless other networks.

The advanced anti-detection techniques employed by Moker make it nearly impossible to identify even when all modern network security protocols are followed.

Assuming Moker is a one-time thing that was specifically designed to exfiltrate the data of the enSilo customer in question, it isn’t at all uncommon for hackers to borrow the techniques of a successful deployment for their own illicit purposes. That means that the highly advanced techniques used by Moker to avoid detection and debugging could be used in the near future by other cybercriminal organizations when creating their own APTs – for targets ranging from a small POS terminal to a worldwide organization with government affiliations.

While no virus definition for Moker has been released yet and no specific information is available as to how the malware infected the targeted system in the first place, it’s safe to assume that Moker was deployed like most malware, relying primarily on known vulnerabilities in popular Web browser plugins including Adobe Flash Player and Java. Ensure that these plugins are set to update automatically or better yet, remove these plugins from your system completely if not explicitly needed for daily tasks. While Moker hasn’t yet become epidemic, the threat of highly advanced APTs prevails and an infection could result in serious financial losses as well as questionable data integrity.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal