Skip to content

ESET發現EmissarySoldier:LuckyMouse APT小組破壞了中亞和中東的政府網絡和私人公司(電信,媒體和銀行)

The research featured in ESET’s industry report on government works in concert with perspectives from the European Commission, CERN and Europol presented at the ESET European Cybersecurity Day virtual conference on April 28.

BRATISLAVA – The European Union’s cybersecurity strategy, and that of all governments globally, has been challenged not only in its move to “digital by default,” but also by the COVID-19 pandemic, the mass movement to working from home, and threats such as cyberespionage, ransomware and supply-chain attacks. Above all, the most formidable challenge, and foe, shared by all governments is advanced persistent threat (APT) groups.

APT groups leveraging evolved tools
The ESET industry report on government examines the threatscape APT actors are erecting, and underlines its complex nature with an exclusive look at EmissarySoldier, a malicious campaign brought to bear by the LuckyMouse APT group using its SysUpdate toolkit to compromise machines, some of which were running the popular application Microsoft SharePoint.

This dive into LuckyMouse examines its relatively unknown SysUpdate toolkit – the first samples of which were discovered in 2018. Since then, the toolkit has seen various development stages. LuckyMouse’s current modus operandi is to install its implants via a so-called trident model that uses three components: a legitimate application vulnerable to DLL hijacking, a custom DLL that loads the payload and a raw Shikata Ga Nai-encoded binary payload.

Overview of the trident model

Since SysUpdate’s modular architecture enables its operators to limit exposure of malicious artifacts at will, ESET researchers did not retrieve any malicious modules and expect this to be an ongoing challenge in future analyses. Regardless, LuckyMouse increased its activity in 2020, seemingly going through a retooling process where various features were being incrementally integrated into SysUpdate’s toolset.

The evolution of tools leveraged by APT groups like LuckyMouse is of key concern as governments are vested with the responsibility to ensure stability for citizens, the business environment and engagement with other nation-states. These tasks of governance are under threat as LuckyMouse and other APT groups, including state actors and their collaborators, home in on widespread collaboration platforms like Microsoft SharePoint and digital by default service provision.

Government in focus
The years 2020 and 2021 have seen several ESET research collaborations come to maturity, including engagements with the likes of the European Organization for Nuclear Research (CERN, Europol, and the French National Cybersecurity Agency (ANSSI). Many of their perspectives, shared at the virtual event and in the report, stress that governments and their IT infrastructure exist as default targets.

The report highlights the need for technologists to continue supporting governments in closing security gaps and monitoring the tactics, techniques and procedures of APT groups via the various endpoint detection and response technologies at their disposal. To download the report, visit and make sure to follow ESET Research on Twitter.

關於台灣二版Version 2

ESET成立於1992年,是一家面向企業與個人用戶的全球性的電腦安全軟體提供商,其 獲獎產品——NOD32防病毒軟體系統,能夠針對各種已知或未知病毒、間諜軟體 (spyware)、rootkits和其他惡意軟體為電腦系統提供實時保護。ESET NOD32佔用 系統資源最少,偵測速度最快,可以提供最有效的保護,並且比其他任何防病毒產品獲 得了更多的Virus Bulletin 100%獎項。ESET連續五年被評為“德勤高科技快速成長500 強”(Deloitte’s Technology Fast 500)公司,擁有廣泛的合作夥伴網絡,包括佳 能、戴爾、微軟等國際知名公司,在布拉迪斯拉發(斯洛伐克)、布里斯托爾(英國 )、布宜諾斯艾利斯(阿根廷)、布拉格(捷克)、聖地亞哥(美國)等地均設有辦事 處,代理機構覆蓋全球超過100個國家。