LuckyMouse (APT27 or EmissaryPanda) is a sophisticated cyber espionage group that has been active since at least 2010.
For more than ten years, its operations have primarily targeted companies and subcontractors operating in the defense, aerospace, telecommunications, manufacturing, energy, technology, education sectors, but also diplomatic institutions.
LuckyMouse is thought to be sponsored by the Chinese government. And, it is known for using advanced tactics, techniques, and procedures (TTPs) to compromise its targets, including the use of zero-day vulnerabilities, custom malware, and complex multi-stage attacks.
LuckyMouse (APT27) operates from variety of custom malware and tools in its attacks. Some of the group’s known malware includes:
- HyperBRO malware : a remote access trojan that can be used to gather information, execute commands, and perform other actions on an infected machine.
- PlugX: A remote access trojan (RAT) that allows the attacker to remotely control an infected machine.
- QuarkBandit: A modular malware platform that can be used to gather information, execute commands, and perform other actions on an infected machine.
- Mirage: A malware that allows the attacker to create a fake network drive on an infected machine, which can be used to exfiltrate data from the victim’s network.
- ShadowPad: A malware that allows the attacker to create a covert backdoor on an infected machine.
To infiltrate the networks of its victims, it favors web applications such as Microsoft SharePoint, Microsoft Exchange, MySQL…
Once the group has gained access to a network, it will often establish a foothold and then work to expand its access, sometimes going undetected for months or even years.
Recently, our TDR team discovered that LuckyMouse uses a backdoored Electron app to target MacOS.
She revealed also how the SOC platform Sekoia.io leverages our detection rules and intelligence to enable SOC teams to unmask LuckyMouse before impact : https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
On our website you can consult other contents of our glossary: XDR, SOAR, SIEM, SOC, EDR, CERT, STIX, IoC, Data Loss Prevention.