MirageFox Malware Deployed by APT15

A suspected Chinese government-affiliated cyber-espionage group known as APT15, Mirage, and Vixen Panda, recently improved its tools, developing a new malware dubbed “MirageFox.” The malware, identified by researchers at Intezer, shares code with two other malware variants deployed by the group, Mirage and Reaver. MirageFox gathers information about the targeted system, including username, CPU information, and its architecture, and sends this data to the C2 server. The malware then opens a backdoor and waits for commands. Researchers believe MirageFox abuses a legitimate McAfee binary to load malicious processes through DLL hijacking, a tactic historically deployed by APT15. Researchers also noted that the sample they analyzed appears to have been specifically designed for the targeted organization and the threat actors gained access to the victim’s internal network using a VPN. The NJCCIC recommends organizations that may be considered high-value targets for cyber-espionage activity review the Intezer report, scan networks for the IOCs provided, and be sure to employ best practices, such as running an up-to-date anti-malware program on all devices, following the Principle of Least Privilege, and establishing a defense-in-depth cybersecurity strategy.