Detecting Mirage variants using Security Analytics

Blog Post created by ahsonbol on Nov 10, 2015

Mirage is a remote access trojan that has been associated with different targeted attacks. The malware family got its name from one of its embedded strings. In this blog post, we will discuss how to detect its C2 beaconing activity.

Once it infects a machine, Mirage starts collecting system information like:

  • MAC address
  • CPU information
  • System name
  • Username

The collected information is then encoded using a custom algorithm and sent to the C2 server in the payload of an HTTP POST request:


The screenshot below shows the network activity in RSA Security Analytics investigator:


Assuming the appropriate meta keys are enabled, the following query can be used:

          action = 'put' && directory = '/' && (filename begins 'search' || filename begins 'result') && (filename contains 'gid' || filename contains 'meta') && extension = '<none>' && content = 'application/x-www-form-urlencoded'

Scan results for a Mirage variant can be viewed here.

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

          threat.desc = 'apt-mirage-c2'