Mikroceen Is Linked to Cyberwarfare Attacks Against Russia, Belarus, and Mongolia

Cyberwarfare is a real thing, and malicious infections are the main weapons. Mikroceen is a Remote Access Tool/Trojan (RAT) that is believed to have been used in successful attacks since at least 2017. There are still many unknown details in the story of this malware, and researchers are yet to find how it proliferates across systems. What is known is that it is more likely to be found on the systems that belong to companies and governments rather than individual Windows users. That being said, it would not be smart to just assume that this malware is a non-threat. Every Windows user has to protect their operating system against malware, and that does not mean that you need to focus on the RAT alone. Instead, you need to implement security tools and measures that, hopefully, would protect you against all (at least, most) threats. If you have discovered that you need to remove Mikroceen from your operating system, there are things you need to know. Also, note that it is likely that you need to delete other threats too.

Although the malicious Mikroceen appears to have been actively attacking systems since at least 2017, malware researchers did not understand this threat as well then as they do today. It is now believed that this malware has been used to attack telecommunications and gas industries as well as government agencies in Asia, specifically in Russia, Belarus, and Mongolia. There is also reason to believe that an Advanced Persistent Threat (APT) group in China is responsible for this infection. Cyber attackers need to establish backdoors into the targeted systems before they can conduct more sophisticated attacks, and it is not known how exactly these backdoors are opened up. Most likely, vulnerabilities within systems are exploited. Once the backdoor is established, cybercriminals can use a loader file to execute Mikroceen, which runs as a .DLL (Dynamic-Link Library) file. It is believed that other malware tools are executed along with the RAT, and some of them might include Mimikatz and Gh0st RAT. Other tools could be employed too, but even if the Mikroceen acted alone, it could still do great damage.

According to researchers, Mikroceen is linked to a bot using a command and control server as soon as it is dropped on the targeted system. The remote attacker authenticates the system first by entering a client password, which, in theory, should protect the attackers from bot takeover. This is a unique feature. Mikroceen can detect whether the infected system is run in a virtual environment, and if it is not, it can run and terminate processes, execute commands, create, exfiltrate, and delete files, and also transfer the gathered information to the connected command and control server. If the conditions are right, the RAT can also command the infected device to act as a proxy or perform listening on a specific port. Needless to say, this malware can be used to gather intel, and because it is believed to attack government agencies and large companies, national security and the security of the business sector could be jeopardized. Unfortunately, this RAT is not the only one capable of that, and governments around the world keep adding new threats to their lists of malware that require the ever expanding attention and resources.

Mikroceen is not the kind of threat that should be removed manually. It would be irresponsible of us to provide you with manual removal instructions even if we had them. We do not because, as said earlier, there is still a lot that is unknown about this threat. Also, it is almost a certainty that other threats exist along with it, and their removal must be taken just as seriously. If you have scanned your system, and the scanner tool picked up on the RAT and other threats, you need to clean your operating system as soon as possible. Our recommendation is that you install a legitimate anti-malware tool that can identify and automatically delete even the most vicious and recent threats. Of course, if you need to delete Mikroceen from a corporate or government system, it is also crucial that you alert the cybersecurity team because the security of the entire organization could have been put at risk.

References

Kalnai, P. May 14, 2020. Mikroceen: Spying backdoor leveraged in high profile networks in Central Asia. WeLiveSecurity.