Skip to main content

Woburn, MA – June 19, 2020 — In February of this year, Kaspersky researchers found SixLittleMonkeys (aka Microcin), an APT actor that conducts cyberespionage campaigns against government bodies and diplomatic entities, was found downloading a Trojan onto a target’s system memory. Researchers discovered that this last-stager (the final stage of an attack when the malicious payload has been downloaded and begins executing commands on the victim’s device) was utilizing a new coding style using an API-like architecture to simplify updates of the malware.

Kaspersky researchers discovered SixLittleMonkeys several years ago targeting government bodies with a backdoor. The group was able to mask its malicious activity by using steganography, a process by which data is sent in a concealed format so that no one is aware that it has been downloaded or updated, therefore making it more difficult for anti-virus products to detect the malicious payloads.

Earlier this year when SixLittleMonkeys was found engaged in active operations against a diplomatic entity, they were largely using the same toolset and style: steganography and library search order hijacking. However, they made one major enhancement in the last-stager by applying enterprise-style coding techniques.

APIs (Application Programming Interface) allow developers to build applications faster and easier by creating building blocks for future programs so that code doesn’t have to be developed from scratch. In the case of malware, APIs add an additional layer of efficiency so that updates or changes can be made that much quicker.

SixLittleMonkeys’ last-stager’s exported API-like function utilizes two callback parameters (functions to be called back at a later time): pointers to encryptor and logger functions. The former is in charge of encryption/decryption of the C2 (control server) communications and configuration data. The latter saves the malware’s history of operations into the file. With such an approach, it is easier for the authors to change the encryption algorithm or redirect the logger through a different communication channel.

Another new aspect of SixLittleMonkeys latest activity is the use of asynchronous work with sockets. The sockets in this case are the entities for network communications with the control server. Because they are asynchronous, one operation doesn’t block the other, meaning all commands are executed.

“This use of an enterprise-grade API-like programming style is something quite rarely found in malware, even for those involved in targeted campaigns,” said Denis Legezo, senior security researcher at Kaspersky. “It demonstrates extensive experience in software development and signifies significant sophistication on the part of the actor. With such callbacks in their new network module, updating and supporting it is much easier.”

To stay safe from attacks by APTs like SixLittleMonkeys, Kaspersky experts recommend:

  • Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.

For additional information and to read more about SixLittleMonkeys’ latest activity, please visit Securelist.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Media Contact:

Cassandra Faro

Kaspersky researchers find SixLittleMonkeys APT now applies enterprise-style programming to their malware

Kaspersky Logo