Malware Threat Report: What is MechaFlounder and How Does it Work?

MechaFlounder is a python-based remote access tool that was used by [APT39]. The payload uses a combination of actor developed code and code snippets freely available online in development communities. The malware affects the following operating systems: Windows. MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.

MechaFlounder Malware Capabilities:

MechaFlounder may attempt to steal data by exfiltrating it over an existing command and control channel. The data may be encoded using a standard data encoding system to make it more difficult to detect. MechaFlounder may also abuse the Windows command shell for execution, and may attempt to identify the primary user or currently logged in user. MechaFlounder may transfer tools or other files from an external system into a compromised environment and may communicate using application layer protocols associated with web traffic to avoid detection/network filtering. Finally, MechaFlounder may match or approximate the name or location of legitimate files or resources when naming/placing them.

• The MechaFlounder malware may steal data by exfiltrating it over an existing command and control channel. The data is encoded using a standard data encoding system, which may make it more difficult to detect. MechaFlounder may also abuse the Windows command shell for execution.
• MechaFlounder may collect information about users on a system in order to shape follow-on behavior. They may transfer tools or other files into a compromised environment, and communicate using application layer protocols associated with web traffic to avoid detection.

Ways to Mitigate MechaFlounder Malware Attacks Capabilities

• The MechaFlounder malware attack can be mitigated by analyzing network data for uncommon data flows and by analyzing packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Additionally, the usage of the Windows command shell may be restricted for normal users, and any attempt to enable scripts running on a system would be considered suspicious.
• The MechaFlounder malware attack can be mitigated by conducting system and network discovery techniques throughout an operation, monitoring for file creation and files transferred into the network, and analyzing network data for uncommon data flows. These measures will help to identify suspicious activity that could indicate the presence of the MechaFlounder malware.