Some of the malware sites are using HyberBro to infect users with remote code execution exploits. The malware leaves minimal traces as it operates mostly from an “in-memory state” that can only be identified by Anti-Virus software. Kaspersky didn’t name the Central Asian nation that was hacked and the company didn’t show how the hackers have breached the data centre.
An additional element of the report highlighted that LuckyMouse was utilised to hack the MicroTik router to host the command and control server of the HyberBro RAT, the attackers would then be able to use this router to control and retrieve data that was transferred out of the network. LHN have written a number of articles recently relating to routers being the entry point for cyber attacks, therefore this could be the consequence of an incease in the number of interconnectivity device vulnerabilities discovered by researchers.
“The most unusual and interesting point here is the target. A national data centre is a valuable source of data that can also be abused to compromise official websites,” Kaspersky expert Denis Legezo explained. “Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign.”
The number of hacks performed by leveraging the APTs have gone up steadily and became quite spread in 2018. “From our own research, we’ve spotted the LuckyMouse APT [using routers] for hosting their command and control servers, which is kind of unusual,” the expert said. “This is something that you don’t see very often.”