APT reports

Myrtus and Guava, Episode 3

The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.

Over the last four days, KSN has identified Trojan components (although the program should really be thought of as a worm, as it spreads via removable storage media) on more than 16,000 computers around the world. A map with infection statistics shows three countries (all starting with the letter I!) are at the centre of the epidemic – Iran, India and Indonesia.

KSN identified more than 5,000 incidents in each of the three countries – in comparison, there were around 150 cases of infection in Russia, and only 5 in China.

There’s no simple explanation for the distribution, but any explanation has to take into account the way Stuxnet spreads – via removable storage media. This isn’t the quickest way to spread malware, but on the other hand, it can ensure that the malware will have a longer life-cycle (one example of this is Sality, which also spread on USB devices). What is quite clear is that the epidemic hasn’t yet reached beyond Asia.

Could the geography help us work out how the rootkit component came to be digitally signed?

Of course, coming up with conspiracy theories isn’t the nicest thing to do, but paranoia is inherent in IT security professionals. So I’ll give myself the freedom to hypothesize:

Realtek is a “hardware” company; writing the software is a subsidiary process which can be optimized by using outsourcers. Which country is the world leader when it comes to outsourcing programming? You’re right – India.

Could an outsourcer creating software for a company have the means to sign programs with that company’s certificate? It’s certainly possible.

So one theory would be that the malware was created in India (just look at the map) and, possibly, without an “insider” amongst the Realtek application developers.

However, if we’re going with that theory, then I wouldn’t throw out the possibility that the driver files are actually legitimate drivers created by Realtek. Yes, they have rootkit functionality, and hide lnk and ~WTRxxxx.tmp files in the root of the storage device. But that doesn’t mean the driver files aren’t legitimate – remember the Sony rootkit incident? And the malware that used the rootkit technology?

Now that we’re nearing the end of episode 3’s, I’ve just realized that I’ve forgotten one important point – the title of my last three posts.

“Myrtus (myrtle) is a genus of one or two species of flowering plants in the family Myrtaceae,” and “The Myrtaceae or Myrtle family are a family of dicotyledon plants, placed within the order Myrtales. Myrtle, clove, guava, feijoa, allspice, and eucalyptus belong here.”

Why the sudden foray into botany? Because the rootkit driver code contains the following string:


Project “Myrtus”. Module “Guava”.

To be continued?

Myrtus and Guava, Episode 3

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox