Malware, Content

SixLittleMonkeys Malware Resurfaces with with API-like Programming Enhancements

SixLittleMonkeys, a Chinese advanced persistent threat actor infiltrating Asian government and diplomatic entities, is applying enterprise-level, API (application programming interface)-style coding to its malware, security provider Kaspersky’s researchers said in a new alert.

When Kaspersky first unearthed SixLittleMonkeys a number of years ago, the syndicate had been hitting its preferred targets with a backdoor. But earlier this year, the cyber crew was observed downloading a "last-stager" trojan using a new API-like architecture into a target’s system memory. The API-style coding added a major enhancement to the group's regular arsenal of steganography and dynamic link library (DLL) search order hacking, the security provider said. (Steganography is a technique of hiding secret data within an ordinary, non-secret file or message in order to avoid detection).

Specifically, the gang had improved the last stage malware (the final stage when the malicious payload has begun to execute commands) by using API-like programming architecture to add an extra layer of efficiency to enable quicker updates or changes to its malware.

It’s a rare instance of hackers using enterprise-level programming in malware, the security provider’s researchers said. “This use of an enterprise-grade API-like programming style is something quite rarely found in malware, even for those involved in targeted campaigns,” said Denis Legezo, senior security researcher at Kaspersky. said. “It demonstrates extensive experience in software development and signifies significant sophistication on the part of the actor. With such callbacks in their new network module, updating and supporting it is much easier.”

To stay safe from attacks by APTs like SixLittleMonkeys, Kaspersky recommends:

  • Provide your security operations center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cyber criminals.
  • For endpoint level detection, investigation and timely remediation of incidents, implement endpoint detection and response solutions.
  • Implement a corporate-grade security solution that detects advanced threats at the network level at an early stage.
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Conduct a simulated phishing attack to ensure staffers know how to distinguish phishing emails.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.