14 DAY TRIAL // A joint effort of multiple private security firms revealed that an APT group known as Hidden Lynx or Axiom used at least ten custom malicious tools to gain access to various organizations and exfiltrate sensitive information.
The companies formed an alliance and initiated Operation SMN to gain insight into the group’s methodology and software used to compromise targets.
Intelligence about Axiom was shared in order to determine the full extent of the activity conducted by the threat actor.
Backdoors and Trojans help Axiom control the infected machines and exfiltrate data
Symantec, which was involved in the operation, published a list of tools used by the threat group in its activities. These are both unique programs, as well as variations.
The list provided by the security company includes names like Hikit, Fexel, Gresim, Derusbi, Naid, Moudoor, ZXShell and Darkmoon.
Although Operation SMN targeted Hikit in particular, some members of the project provided analysis of other tools, painting a much more accurate picture of Axiom’s possibilities and level of sophistication.
Symantec says that Hikit comes with remote access capabilities that allow the attacker to exchange data (deliver commands, exfiltrate information, download malware) with the compromised machine.
“Network-tunneling capabilities allow the threat to create proxies, while an ad-hoc network generation feature allows it to connect multiple compromised computers to create a secondary network. Hikit comes in 32-bit and 64-bit versions, which are deployed depending on the target’s infrastructure,” Symantec reports.
F-Secure analyzed Moudoor, another remote access tool, which has been seen to appear as a result of zero-day exploits. Its capabilities include advanced spying, monitoring and exfiltrating specific information.
Malicious tools are tailored to suit the exact purpose of the group
Although Axiom/Hidden Lynx may work with leaked malware code, they improve and develop it into something different that serves their goal.
Original functionality has been eliminated to make room for new capabilities leveraged by the threat actors for both reconnaissance and persistence on the targeted machine.
Furthermore, the group added modifications to avoid detection and considerably increase the stealth of the tools.
In a report from Novetta, the company leading Operation SMN, some particularities are presented for some of the analyzed samples.
In the case of Hikit, some variants of the backdoor have been seen to act as a server when communicating with the command and control (C&C) server, while others worked as clients. A newer generation includes rootkit functionality in the 32-bit version, which is based on Agony, a rootkit publicly available for research purposes.
With malware in the ZOX family, the researchers observed that it used PNG images to deliver information to and from the C&C. Moreover, there are no details about the C&C server, as the attacker provides it at runtime via the command line.
Some interesting facts have been observed in the server version of Derusbi, a malware piece with extensive file management features. Novetta says that it “appears to be able to co-exist with other running services on the same port.”
Operation SMN was possible thanks to the collective input from Cisco, Symantec, FireEye, F-Secure, iSIGHT Partners, ThreatTrack Security, Microsoft, ThreatConnect, Tenable, Novetta, and Volexity.