MOKER: A new APT undetected by VirusTotal

Recently, enSilo found an Advanced Persistent Threat (APT) residing in a sensitive network of a customer.
This APT appears to be a Remote Access Trojan (RAT) that is capable of taking complete control of the victim’s computer.

cyber-attack-methods-embedded-in-code-dreamstime_xl_10631354To date, this APT is unknown and does not appear in VirusTotal.

Moker was the file description that the malware author gave to the malware’s executable file.

What makes Moker unique?

  • Bypasses and disables security measures. This includes everything from security-dedicated measures such as Anti-Virus (AV), sandboxing and virtual machines, to Windows’ built-in security enhancements such as User Access Control (UAC).
  • Achieves system privileges. As opposed to more common malwares such as bankers, ransomwares and PoS scrapers, this APT hooked into the Operating System (OS) in order to appear as a legitimate OS process and to access system-wide settings.
  • Can be controlled without requiring Internet-connectivity. Moker does not need an external communication point (such as a Command and Control – C&C server) to operate. It can also receive its commands locally, through a hidden control panel. This means that a threat actor can also login say, via VPN using legitimate user credentials, and operate the malware on the infected device.
  • Takes great measures in order to bypass posthumous research once detected. For example, Moker applied sophisticated anti-debugging techniques to avoid malware dissection and deceive researchers.

What are Moker’s capabilities?

Moker targets Windows machines and:

  • Takes complete control of the victim’s machine by creating a new user account and opening a RDP channel to gain remote control of the victim’s device
  • Tampers with sensitive system files and modify system-security settings
  • Takes screenshots, records web traffic, monitors key strokes and exiltrates files
  • Injects itself into different system processes in order to replace legitimate code with malicious code during run-time

A test in their labs revealed that under certain circumstances Moker communicated with a server registered in Montenegro. The Montengro-based server was referred by several other domains registered in African countries. It’s important to note however that  these registered domains cannot give an indication of the threat actor’s identity or physical location as it certainly makes sense to think that the threat actor either used compromised servers or purchased dedicated-only servers in other locations to confuse researchers and law enforcement agencies.

Interestingly, Moker did not necessarily need to be controlled from remote. A feature of the RAT  includes a control panel that enables the attacker to control the malware locally. Consider a Local Access Trojan (LAT). We think this feature was added either for a threat actor to mimic a legitimate user (say, VPN’ing into the enterprise and then commanding Moker locally), or was inserted by the malware’s author for testing purposes yet remained also in the production version.

Moker’s sophistication wasn’t only in terms of its capabilities, but also in the measures it took to defend itself, including after it was caught. Its detection-evasion measures included encrypting itself and a 2-step installation (see below). Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.

Obviously, this is a threat actor that invested a lot of resources in order to keep this malware stealthy.

Head over to for more information and analysis.