Unit 42 recently identified a variant of MNKit-weaponized documents
being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The
documents were delivered to targets involved with universities, NGOs,
and political/human rights groups concerning Islam and South Asia. Reuse
of this MNKit variant, sender email addresses, email subject lines,
attachment filenames, command and control domains, XOR keys, and
targeted recipients show a connection between the different payload
families delivered.
MNKit is the name given to a builder that generates CVE-2012-0158
exploit documents. The documents are in MHTML format and install a
malicious payload on the compromised host. We believe MNKit is privately
shared between multiple attack groups, but is not widely available.
Id-SIRTII/CC has the main duty to socialize with stake holders related to IT Security, to do an early monitoring and detection, give an early warning against threats to telecommunication networks from both inside and outside country, particularly in the security measures of network utilization, creating/performing/developing log files and statistics of Indonesian’s internet security.
