{ "id": "dc96bfee-1a28-4594-adda-fd2945c2086e", "created_at": "2026-04-06T00:14:54.303586Z", "updated_at": "2026-04-10T03:31:00.662556Z", "deleted_at": null, "sha1_hash": "57f8872f64f0432eb54e53fbb6d00a14a2d10244", "title": "Microcin is here", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 661189, "plain_text": "Microcin is here\r\nBy Denis Legezo\r\nPublished: 2020-06-19 · Archived: 2026-04-05 18:01:51 UTC\r\nIn February 2020, we observed a Trojan injected into the system process memory on a particular host. The target\r\nturned out to be a diplomatic entity. What initially attracted our attention was the enterprise-grade API-like\r\n(application programming interface) programming style. Such an approach is not that common in the malware\r\nworld and is mostly used by top-notch actors.\r\nDue to control server reuse (Choopa VPS service), target profiling techniques and code similarities, we attribute\r\nthis campaign with high confidence to the SixLittleMonkeys (aka Microcin) threat actor. Having said that, we\r\nshould note that they haven’t previously applied the aforementioned coding style and software architecture. During\r\nour analysis we didn’t observe any similar open source tools, and we consider this to be the actor’s own custom\r\ncode.\r\nTo deliver a new network module with a coding style that we consider enterprise-grade, Microcin used\r\nsteganography inside photos, including this one of a sock (payload removed here)\r\nSixLittleMonkeys’ sphere of interest remains the same – espionage against diplomatic entities. The actor is still\r\nalso using steganography to deliver configuration data and additional modules, this time from the legitimate public\r\nimage hosting service cloudinary.com. The images include one related to the notorious GitLab hiring ban on\r\nRussian and Chinese citizens. In programming terms, the API-like architecture and asynchronous work with\r\nsockets is a step forward for the actor.\r\nWhy we consider the current software architecture interesting\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 1 of 9\n\nBy “enterprise-grade API-like programming style” we mean, firstly, asynchronous work with sockets. In terms of\r\nWindows user-space entities, it was I/O completion ports. In the OS kernel space, this mechanism is actually a\r\nqueue for asynchronous procedure calls (APC). We believe there’s a reason for using it in backend applications on\r\nthe high-loaded server-side. Obviously, however, neither client-side software nor Trojans of this kind need this\r\nserver-side programming approach. So, it looks to us like the developers have applied some habits from server-side\r\nprogramming.\r\nSecondly, the exported function parameters in the injected library look more like an API: the arguments are two\r\ncallback functions – encryptor/decryptor and logger. So, if the authors decide to change encryption or logging\r\nalgorithms, they could do so easily without even touching the network module. Once again, even targeted\r\nmalicious samples rarely take such architectural issues into consideration.\r\nAnother injected library’s exported function parameter is the host name. If the caller doesn’t pass the infected host\r\nname as this parameter, the following commands will not be executed. It filters out all messages to other hosts.\r\nInitial infection\r\nModule features File name Detection time\r\nBackdoor sideloaded by legit GoogleCrashHandler version.dll 2019.12.31\r\nDownloader/decryptor inside spoolsv.exe address space spoolsv.dll 2020.01.16\r\nBitmap picture with steganography inside Random .bmp name 2020.01.16\r\nNetwork module in the same spoolsv.exe address space Module.dll 2020.01.16\r\nInfection timeline\r\nThe backdoor is started by GoogleCrashHandler.exe, due to .dll search order hijacking (version.dll). Bitmap files\r\nwith a steganography downloader and decryptor (spoolsv.dll), injected into the spoolsv.exe API-like network\r\nmodule, are injected into the same system process.\r\nLet’s cover the modules one at a time. Our telemetry shows that another Microcin backdoor was already on the\r\nhost before this new network module. It’s most probably a reinfection with newer malware.\r\nBackdoor MD5 File name Compilation timestamp Size\r\nc9b7acb2f7caf88d14c9a670ebb18c62 version.dll 2020.05.20 02:37:58 407552\r\nThis UPX packed .dll was executed with the legitimate GoogleCrashHandler.exe (very common library search\r\norder hijacking) just before the New Year. The compilation timestamp is obviously spoofed. In this case we don’t\r\nknow how the backdoor, along with the legitimate application, was delivered.\r\nWe won’t concentrate on this backdoor in this report, because it’s fairly typical for Microcin. We just want to\r\nemphasize that the timeline above shows it existed on the host before the analyzed module.\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 2 of 9\n\nDownloader/decryptor\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 3 of 9\n\nThe campaign in question starts with the 64-bit spoolsv.dll downloader/decryptor module that has to be loaded by\r\nspoolsv.exe into its address space.\r\nDownloader/decryptor MD5 Modified time Size Build Target ID\r\nc7e11bec874a088a088b677aaa1175a1 2020.03.04 12:20:13 155291 20200304L02f @TNozi96\r\nef9c82c481203ada31867c43825baff4 2019.10.15 11:46:04 145233 20200120L03o @TNozi96\r\n1169abdf350b138f8243498db8d3451e 2019.01.25 04:58:15 150195 20191119L 123456\r\nSo far, we have registered three samples of this module. The file tails contains the following encrypted\r\nconfiguration data.\r\nParameter\r\nLength\r\n(bytes)\r\nPossible values\r\n.bmp URL\r\nlen\r\n4 82\r\n.bmp URL\r\n.bmp\r\nURL\r\nlen\r\nhttp://res.cloudinary.com/ded1p1ozv/image/upload/v1579489581/\u003crandom_name\u003e.bmp\r\nSleep time 2 17211 and other non-round random numbers\r\nModule\r\nbuild\r\nlength\r\n4 15\r\nModule\r\nbuild\r\nModule\r\nbuild\r\nlength\r\nDate based on the previous table\r\nTarget ID\r\nlength\r\n4 9\r\nTarget ID\r\nTarget\r\nID\r\nlength\r\nReadable strings from the previous table\r\nRandom\r\nASCII\r\nchars\r\n16 Randomly generated on host\r\nHardcoded\r\ncanary\r\n4 0x5D3A48B6\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 4 of 9\n\nWe have published the source code of our decryptor for Microcin’s configuration and steganography at\r\nhttps://github.com/dlegezo/common.\r\nThe bitmap URL serves to download the image (like the one with the sock shown above) with the next stage\r\nnetwork module. The module build, target ID and random ASCII chars are for the next network module, which\r\nincludes them in the control server communications.\r\nTo get the bitmap, the downloader sends an HTTP GET request to cloudinary.com. The steganography is inside the\r\ncolor palette part of the .bmp file. A typical decryption algorithm includes four stages:\r\n1. 1 Combine neighboring half bytes into one byte\r\n2. 2 Decrypt data length with custom XOR-based algorithm\r\n3. 3 Decrypt six-byte XOR key for main data\r\n4. 4 Decrypt data itself using decrypted length and key\r\nBesides the configuration data and steganography, the same algorithm is used for the C2 traffic. As we mentioned,\r\ndue to the malware architecture, the latter can easily be changed. Encryption is XOR-based, but the key scheduling\r\nis quite specific and tricky. In the corresponding appendix we provide the part of the decryptor containing the\r\nalgorithm.\r\nBitmap images and steganography\r\nBesides the sock image, the campaign operators use more social-oriented photos (payload removed here). The\r\nbackground here is the GitLab hiring ban on Russian and Chinese citizens\r\nSo far, we have registered four different images. The encrypted content in all cases are PE files with the following\r\nnetwork module and C2 domain for the files. This is the only parameter that comes from bitmap; all others are\r\nprovided by the downloader.\r\nImage content C2 domain Network module MD5\r\nSock in washing machine apps.uzdarakchi[.]com 445b78b750279c8059b5e966b628950e\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 5 of 9\n\nTwo people in hoodies forum.mediaok[.]info 06fd6b47b1413e37b0c0baf55f885525\r\nGitLab hiring ban forum.uzdarakchi[.]com 06fd6b47b1413e37b0c0baf55f885525\r\nWoman with child, militaries owa.obokay[.]com 06fd6b47b1413e37b0c0baf55f885525\r\nNetwork in-memory module\r\nThe downloader decrypts the configuration data and C2 domain from the bitmap and then everything is ready to\r\nstart the last stage inside the same spoolsv.exe virtual address space. We consider the architectural approach in this\r\nmodule to be the most interesting part of the chain.\r\nThe network module’s entry point is the exported function SystemFunction000() with multiple arguments. As a\r\nbeacon, the Trojan prepares an HTTP POST request with the target’s fingerprinting data. And a lot of the\r\nparameters become part of the request.\r\nExported function\r\nargument\r\nParameter meaning\r\nTarget host name\r\nThis has to be the same as the infected machine host name. Only then will the\r\nTrojan start and receive commands. Initialized by the downloader\r\nTarget ID\r\nWe already enumerated these readable ASCII strings from the decrypted\r\ndownloader’s config, e.g., @TNozi96\r\nBuild version\r\nInside these readable ASCII strings the dates are clearly mentioned. The C2 uses\r\nthem to understand which build it’s currently working with\r\nWORD field of fingerprint\r\nstructure\r\nInitialized with 0x4004 by the downloader. We don’t have enough data to\r\ndescribe this field’s meaning\r\nC2 IP address and port\r\nnumber\r\nThe coordinates of the C2, initialized from the decrypted bitmap image\r\nASCII string in fingerprint\r\nstructure\r\nUnique random string generated by the downloader\r\nBYTE to fingerprint\r\nstructure\r\nInitialized with 0x4004 by the downloader. We don’t have enough data to\r\ndescribe this field’s meaning\r\nHalf of maximum sleep\r\ntime\r\nSleep time before the working cycle. Half because the full time is counted \u003cthis\r\narg\u003e + \u003crandom\u003e%\u003cthis arg\u003e. It’s effectively a maximum of a maximum sleep\r\ntime\r\nLogger address\r\nFirst callback function address. In this case it’s a logger function inside the\r\ndownloader\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 6 of 9\n\nEncryptor/decryptor\r\naddress\r\nSecond callback function address. In this case it’s an encryptor/decryptor\r\nfunction inside the downloader\r\nThe last two arguments illustrate why we call the network module API-like: any encryption and logging routine\r\ncould be used without even touching the module code. We consider this programming approach as scalable and\r\nuseful for large systems. Let’s take a look at these two callback arguments.\r\nCallback and its arguments Callback features\r\nLogger takes ASCII string as a log message\r\nLogger function whose parameter is the message\r\ntext. In this module all the messages are shortenings\r\nlike “LIOO”, “RDOE”, etc.\r\nEncryptor/decryptor to deal with the traffic between\r\nhost and C2, takes its length, encryption key, and the\r\nflag (0 to encrypt and 1 to decrypt) as argument data\r\nEncryptor/decryptor function first used to encrypt\r\nbeacon with target’s fingerprint. It then decrypts C2\r\ncommand structures and encrypts replies to them\r\nThe module uses the Windows API function WSAIoctl() – something rarely seen in malware – to get the\r\nConnectEx() address and sends a prepared request. Another Windows API function,\r\nGetQueuedCompletionStatus(), is in charge of asynchronous work with I/O. In other words, the malware uses I/O\r\ncompletion ports for Windows user-space entities, which is effectively an APC queue in the OS kernel.\r\nThe same data structure is used for both sides of the communication: from host to C2 and back. Let’s describe its\r\nmain fields here.\r\nField Features\r\nCommand code\r\nOne byte in the structure is the command code, which could vary from 0x00 to 0x16 (22).\r\nWe describe the main network module commands in the table below\r\nError code Another byte is used for the error code\r\nCommand\r\nargument\r\nThe main command field that takes all the necessary strings, etc. and also keeps\r\nfingerprinting data in the case of the beacon\r\nSo far, we have described the infection chain, module architecture, custom encryption and HTTP POST-based C2\r\ncommunication protocol. Last, but not least, is the command set shown in the table below.\r\nCommand code Command features\r\n3 Check if target’s ID meets the parameter\r\n4 List logical drives\r\n5 List files\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 7 of 9\n\n6 Create directory\r\n7 Remove directory\r\n8 Copy file\r\n9 Move file\r\n10 Delete file\r\n11 Execute PE\r\n12 Execute Windows shell command\r\n14 Terminate program\r\n15 File download\r\n16 Read from downloaded file\r\n17 File upload\r\n18 Write to file\r\n19 Stop\r\n20 Sleep\r\nInfrastructure\r\nDomain IP First seen ASN\r\napps.uzdarakchi[.]com 95.179.136[.]10 November 11, 2019 20473\r\nforum.uzdarakchi[.]com 172.107.95[.]246 February 7, 2020 40676\r\nforum.mediaok[.]info 23.152.0[.]225 March 19, 2020 8100\r\nowa.obokay[.]com N/A (now parked)\r\nTo sum up\r\nThis time the Microcin campaign has made an interesting step forward, not in terms of a fancy initial infection\r\nvector, but as programmers. The API-like network module is much easier to support and update. This improvement\r\nis not only about anti-detection or anti-analysis; it’s about software architecture and a step towards a normal non-monolithic framework implementation.\r\nIoC\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 8 of 9\n\nDownloader\r\nef9c82c481203ada31867c43825baff4\r\n1169abdf350b138f8243498db8d3451e\r\nc7e11bec874a088a088b677aaa1175a1\r\nNetwork module\r\nf464b275ba90b3ba9d0a20b8e27879f5\r\n9320180ef6ee8fa718e1ede01f348689\r\n06fd6b47b1413e37b0c0baf55f885525\r\n625a052ddc80efaab99efef70ba8c84f\r\nDomains and IPs\r\n95.179.136.10\r\napps.uzdarakchi[.]com\r\nforum.uzdarakchi[.]com\r\nforum.mediaok[.]info\r\nowa.obokay[.]com\r\nSource: https://securelist.com/microcin-is-here/97353/\r\nhttps://securelist.com/microcin-is-here/97353/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/microcin-is-here/97353/" ], "report_names": [ "97353" ], "threat_actors": [ { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434494, "ts_updated_at": 1775791860, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57f8872f64f0432eb54e53fbb6d00a14a2d10244.pdf", "text": "https://archive.orkl.eu/57f8872f64f0432eb54e53fbb6d00a14a2d10244.txt", "img": "https://archive.orkl.eu/57f8872f64f0432eb54e53fbb6d00a14a2d10244.jpg" } }