We have been investigating the MIRAS malware family, which was recently linked to attacks that targeted a Europe-based IT company. Our analysis shows that MIRAS, or BKDR64_MIRAS.B is a 64-bit malware that was used for the data exfiltration stage in a targeted attack. MIRAS is available in 32-bit (BKDR_MIRAS.B) and 64-bit (BKDR64_MIRAS.B) Windows operating systems.
An analysis of BKDR64_MIRAS.B
To serve as an overview for MIRAS, the backdoor’s capabilities mainly include file/system manipulation, which indicates that attackers know the victim’s credentials.
Apart from the backdoor’s information-stealing routines, it appears to specifically target systems connected to a Remote Desktop (RD) Session Host. It uses the RD services API, WTSEnumerateProcesses instead of the usual Process Status API, EnumProcesses. The attackers are also capable of listing running processes, from which we can surmise that they now know how their targeted users log in to their work stations (i.e. through RD session host server).
Figure 1. BKDR64_MIRAS.B uses the remote desktop services API ‘WTSEnumerateProcesses’
The malware’s file and disk manager module is very comprehensive in getting information about files. Attackers will always know when there is a major change in the victim’s system through the commands Enumerate all logical drives and Get logical drive’s drive type and disk space.
Attackers are also capable of knowing whether their target files are updated. MIRAS’s process manager module plays another important part in the data exfiltration step of the targeted attack. This module gives attackers details on the processes’ date and time creation. This is crucial because knowing the date and time of creation gives an idea of how long the process has been created. For instance, the length of time the process is present in the system gives an idea on how critical that process is.
The backdoor function also gives attackers an overview of the modules the other processes are using. Attackers can thus gain leverage by creating, for instance, a .DLL hijacking attack or an exploit attack depending on the modules seen the target victims’ systems.
The remote shell module allows attackers to do anything that is possible in a remote shell, granted that they have the given privileges of the current logged on user.
We were able to determine the malware’s C&C server, 96[.]39[.]210[.]49, which is located in the United States. This C&C server was previously used as early as November 2013.
More attacks seen targeting 64-bit platforms
The documented instances of attackers using malware made compatible for 64-bit systems supports our 2H 2013 Targeted Attack Trends report that almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms. Along with the rising adoption rate of 64-bit systems, we continued to study note attackers’ recent implementations of 64-bit compatible malware with several versions of KIVARS.
Defending against possible targeted attacks
Since attacks such as these are commonly designed to leave little to no tracks at all, it is important for IT administrators to know where possible indicators of a compromise can be found, or the “anomalies.” Examples of such anomalies are the presence of unknown large files, which are often indicators of a data breach and may need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to the data exfiltration stage. One file indicator for MIRAS in the system is the presence of the file %System%/wbem/raswmi.dll.
In other to mitigate the risks that threats like MIRAS pose, enterprises are advised to implement Trend Micro™ Custom Defense™, a security solution that enables IT administrators to rapidly detect, analyze, and respond to targeted attacks and advanced threats before they unleash lasting damage.
For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.
With additional analysis by Maersk Menrige.