Friday, June 14, 2024

Chinese APT’s New Malware MirageFox Launch Cyber Attack on Government & Military Sectors

Chinese government affiliated APT15 cyberespionage group involving with new MirageFox malware campaign to attack various sectors including government contractors, Military base and other private industries across the world.

The researcher believes that this new sophisticated malware campaign is to reuse the code from advanced remote access Tool called Mirage which is activity attacking various sector since 2012.

This APT15 group best known as “living off the land,” which mean they are using already available tools and advanced software to infiltrate the victim’s computer and infect with malware.

Also, this attacker involving a various cyber attack using different names such as Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.

Also, researcher suspect that it Could be possible APT15 was responsible for hacking the US Navy contractor.

MirageFox code reuse Analysis

MirageFox malware campaign is using two other new version of RAT code called Mirage and Reaver which is also attributed to Chinese government affiliated groups.

Both binaries are newly uploaded in virustotal which contains few detection results and both were uploaded quite often on June 8 and June 9, 2018. and further analysis was done with analyzed them using Intezer Analyze to see if we could find any code reuse.

According to Intezer, On VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of MirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), and 9/64 for the third MirageFox binary that was uploaded (SHA256: b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2).

It was unclear about the tools that used by this  APT15 group, original infection vector and other relative information.

Researchers named this campaign as MirageFox which is taken from the string that was found in the code which is reused from Mirage and Reaver.

Here, a module by McAfee that is loaded by a few of their executables that import and call this function that means the APT15 Performing some DLL Hijacking by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process.

Also, This version connected via command & control server by infiltrating the internal network of the targeted organization and connected to their internal network using VPN.

“Finally, its collected the various information including username, CPU information, architecture it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs” Intezer said.

Indicator of Compromise


  • 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a
  • 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5
  • b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles