Moker

Moker, also referred to as Yebot and Tilon, is a remote access trojan (RAT) used by an advanced persistent threat (APT) group to target sensitive networks running Windows operating systems. It "plants" its dropper, defeating sandbox measures because it does not appear as malicious, and then installs the payload via an internet connection or by loading it locally, bypassing security measures as it is encrypted. Once installed, Moker can create a new user account and open a remote desktop protocol (RDP) channel to gain full remote control of the victim's machine, access and exfiltrate system files, modify security settings, take screenshots, record web traffic, log keystrokes, and replace a process' legitimate code with malicious code. The trojan bypasses and disables security settings, including antivirus, sandboxing, virtual machines, and User Access Controls (UAC). If it is detected, it uses anti-debugging techniques to avoid forensic analysis. It infects the operating system in order for its activity to appear as a legitimate operating system processes and to gain system privileges. Additionally, Moker does not require a C2 server to operate, instead receiving its commands locally through a hidden control panel. This allows the attacker to log in via VPN using legitimate user credentials. When enSilo first profiled the trojan in 2015, the APT group deploying Moker could not be determined and as of 2017, researchers believe the trojan has been produced and sold on the Dark Web after it was abandoned by the original developers.

Reporting

  • October 2015: Moker APT discovered within a sensitive network (enSilo)
  • April 2017: Moker trojan is being delivered by the RIG-V exploit kit via malvertising campaigns. (MalwareBytes)

Technical Details

  • Malwarebytes provides technical details of the Moker trojan, available here.