Skip to content

Deconstructing Mikroceen: Researchers uncover spying backdoor attacking high-profile targets in Central Asia

The analysis is the result of joint research between ESET and Avast

 – ESET recently teamed up with Avast to research a widespread and constantly evolving remote access tool (RAT) with the usual backdoor functionality that ESET has dubbed Mikroceen. In the joint analysis, the researchers uncovered Mikroceen being used in espionage attacks against government and business entities (from the telecommunications and gas industries) in Central Asia.

The attackers were able to gain long-term access to affected networks, manipulate files and take screenshots. Victims’ devices could execute various commands delivered remotely from command and control servers.

The researchers investigated the custom implementation of Mikroceen’s client-server model, purpose-built for cyberespionage. “The malware developers put great effort in securing the client-server connection with their victims. Their malware was leveraged ‘in the wild,’ as the operators managed to penetrate high-profile corporate networks. We also saw a larger attack toolset being used and constantly developed, which consisted mainly of variations in obfuscation techniques,” comments Peter Kálnai, who led the ESET arm of the joint research team.

Mikroceen is under constant development, and security researchers have seen it used with backdoor capabilities in various targeted operations since late 2017. Among the tools used by the attackers to move within the infiltrated networks, ESET and Avast researchers also identified Gh0st RAT, an older, yet infamous, RAT created around 2008. There are many similarities between Gh0st RAT and Mikroceen, with the main shift between the projects in securing the connection with a certificate.

For more technical details about Mikroceen, read the blog post Mikroceen: Spying backdoor leveraged in high profile networks in Central Asia on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.