MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. ^[1]

ID: S0280

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 17 October 2018

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	MirageFox has the capability to execute commands using cmd.exe.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	MirageFox has a function for decrypting data containing C2 configuration information.^[1]
Enterprise	T1574	.001	Hijack Execution Flow: DLL Search Order Hijacking	MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.^[1]
Enterprise	T1082		System Information Discovery	MirageFox can collect CPU and architecture information from the victim’s machine.^[1]
Enterprise	T1033		System Owner/User Discovery	MirageFox can gather the username from the victim’s machine.^[1]

Groups That Use This Software

ID	Name	References
G0004	Ke3chang	^[1]

References

Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

MirageFox

Enterprise Layer

Techniques Used

Groups That Use This Software

References