MM Core

MM Core is a file-less trojan discovered by FireEye in 2013 and typically used by advanced persistent threat (APT) actors. It was designed to collect information from the infected device and establish a backdoor for remote access. The original variant, named “BaneChant,” targeted Middle Eastern and Central Asian organizations. The trojan is file-less, downloading its malicious code to memory to prevent investigators from extracting the code from the device’s hard drive, and it uses URL shorteners to protect its C2 servers from being blacklisted. Additionally, it waits for multiple mouse clicks before acting in order to evade sandboxes. In June 2013, a second variant emerged, named “StrangeLove,” which contained modifications to the downloader. It was again used against Middle East targets. In January 2017, Forcepoint researchers revealed findings of two new MM Core trojan variants, “BigBoss” and “SillyGoose,” first used in mid-2015 and September 2016, respectively. The backdoor code is the same but with different filenames and mutexes, and exploits a more recent Microsoft Word vulnerability (CVE-2015-1641). The trojan can send the infected device’s computer name, Windows version, system time, running processes, TCP/IP configuration, and top level directory listings for C and H drives, download and execute files, update itself, and uninstall itself. The threat actors use WHOIS privacy protection for their C2 domains to prevent researchers from tracking their infrastructure. These variants have been used to target entities, including news and media, government, oil and gas, and telecommunications organizations, in the United States and Africa. MM Core’s downloader shares code, techniques, and infrastructure with an active downloader, dubbed “Gratem,” even sharing some of the same certificates. Several components are signed with a valid Authenticode certificate from “Bor Port”, a Russian organization, but researchers suspect it is a stolen certificate. Researchers at Forcepoint believe MM Core may be part of a larger operation.

Reporting

  • April 2013: APT malware waits for multiple mouse clicks to evade researchers. (FireEye)
  • July 2013: Attackers use “StrangeLove” to target Middle Eastern entities. (Context)
  • January 2017: MM Core returns as “BigBoss” and “SillyGoose.” (Forcepoint)

Technical Reporting

  • Forcepoint provides technical details on the “BigBoss” and “SillyGoose” MM Core variants, here.

MM Core infection cycle. Image Source: Forcepoint