Researchers examining a Trojan currently being used in attacks against an Asian government and other organizations believe it may be connected to past high-profile attacks in Russia, Belarus, and Mongolia.
A joint reported issued on Thursday by cybersecurity teams from ESET and Avast suggests that the Remote Access Trojan (RAT), which is undergoing "constant" development, is likely the work of an Advanced Persistent Threat (APT) group -- possibly from China -- that has "planted backdoors to gain long-term access to corporate networks."
According to the researchers, the backdoor -- dubbed Mikroceen -- has been tracked in campaigns against public and private entities since 2017. Mikroceen focuses on targets in Central Asia and has been recently tracked in attacks against government entities, telecommunications firms, and the gas industry.
The attack vector of the Mikroceen RAT in recent campaigns is unknown, but once the malware lands on a compromised machine, custom tools are used to establish a connection with a command-and-control (C2) server. Mikroceen is established and linked to a bot that has an unusual feature -- an attacker must authenticate the system by entering a password to control the client.
In addition, a client cannot connect directly to a C2; instead, this connection is secured via a certificate, a feature that the researchers say "distinguishes Mikroceen from the legion of backdoors we have seen since previously."