The European Union’s cybersecurity strategy and that of all governments globally, has been challenged not only in its move to ‘digital by default,’ but also by the COVID-19 pandemic, the mass movement to working from home and threats such as cyberespionage, ransomware and supply-chain attacks. The most formidable challenge and foe shared by all governments is advanced persistent threat (APT) groups.
The ESET industry report on government examines the threatscape APT actors are erecting and underlines its complex nature with an exclusive look at EmissarySoldier, a malicious campaign brought to bear by the LuckyMouse APT group using its SysUpdate toolkit to compromise machines, some of which were running the popular application Microsoft SharePoint.
This dive into LuckyMouse examines its relatively unknown SysUpdate toolkit – the first samples of which were discovered in 2018. Since then, the toolkit has seen various development stages. LuckyMouse’s current modus operandi is to install its implants via a so-called trident model that uses three components: a legitimate application vulnerable to DLL hijacking, a custom DLL that loads the payload and a raw Shikata Ga Nai-encoded binary payload.
Since SysUpdate’s modular architecture enables its operators to limit exposure of malicious artifacts at will, ESET researchers did not retrieve any malicious modules and expect this to be an on-going challenge in future analyses. Regardless, LuckyMouse increased its activity in 2020, seemingly going through a retooling process where various features were being incrementally integrated into SysUpdate’s toolset.
Click below to share this article