A threat actor historically known for its watering hole attacks against governmental organizations has recently been tied to a series of new cyber intrusions affecting various entities across Central Asia and the Middle East. This malicious activity, designated as “EmissarySoldier,” is attributed to the cyber espionage group identified as LuckyMouse and is believed to date back to 2020. The group seeks to gather geopolitical intelligence about the region.
The breaches involved the implementation of a toolkit called SysUpdate (also known as Soldier), which was deployed in multiple compromised organizations, including government and diplomatic agencies, telecommunications firms, media outlets, and a commercial bank.
LuckyMouse, also referred to as APT27 or Emissary Panda, is a notorious cyber espionage unit with a track record of infiltrating numerous governmental networks in the regions of Central Asia and the Middle East. The group has previously orchestrated cyber assaults against international entities like the International Civil Aviation Organization (ICAO) in 2019 and has drawn attention for exploiting ProxyLogon vulnerabilities to breach the email server of a governmental body in the Middle East.
The ongoing campaign, dubbed EmissarySoldier, exemplifies a vocal escalation in surveillance activity targeted at these organizations. According to ESET malware researcher Matthieu Faou, “LuckyMouse typically employs watering hole strategies to compromise websites frequented by its intended victims.” Furthermore, the group conducts network scans to identify vulnerable internet-facing servers within their selected targets.
Recent observations by ESET reveal that LuckyMouse has compromised several internet-facing systems operating on Microsoft SharePoint, utilizing remote code execution vulnerabilities prevalent in the application.
The methodology employed in these attacks culminates in the deployment of customized post-intrusion implants, with SysUpdate or HyperBro, both using DLL search order hijacking to execute malicious payloads while evading detection. Faou describes this as a “trident model” involving a legitimate application, a custom DLL for payload loading, and a Shikata Ga Nai-encoded binary payload.
SysUpdate operates as a modular tool, designed for distinct operational tasks by exploiting benign applications to serve as loaders for malicious DLLs. This initial payload then retrieves and deploys a memory implant on the compromised system. Since its identification in 2018, the toolkit has undergone multiple iterations aimed at enhancing its functionalities, signifying that its operators are actively refining their malware capabilities.
“Throughout 2020, LuckyMouse has shown heightened activity, seemingly engaged in a retooling phase as various new features were integrated into the SysUpdate toolkit,” Faou added. This trend indicates a potential transition by the operators from utilizing HyperBro to focusing on SysUpdate for their operations.
