LuckyMouse Signs Malicious NDISProxy Driver with Certificate of Chinese IT Company

LuckyMouse Signs Malicious NDISProxy Driver with Certificate of Chinese IT Company (Sep 10, 2018)

The Advanced Persistent Threat (APT) group “LuckyMouse” (APT27, EmissaryPanda) has been found distributing a previously unknown, in-memory trojan, according to Kaspersky Lab researchers. The malware contains three different modules that include: a custom C++ installer, a network filtering driver (NDISProxy), and a last-stage C++ trojan functioning as an HTTPS server. The NDISProxy driver was identified to be signed with a digital certificate that belongs to the Chinese information security software developer company “LeagSoft.” The distribution method for this campaign is believed to be accomplished via networks that have been previously compromised.

Recommendation: Defending against APT threats requires an equally advanced and persistent strategy. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security, as well as having prevention and detection capabilities in place.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.