A new toolset has been uncovered that has been leveraged in cyber espionage campaigns against industrial targets since 2018. The threat actor, dubbed “MontysThree” by Kaspersky researchers who discovered the campaign, uses an array of techniques to evade detection, including hosting its communications with the control server on public cloud services and hiding the main malicious module using steganography.

The researchers say that cyber espionage attacks against industrial holdings are far more unusual than campaigns against government entities, diplomats, or telecom operators.

According to Kaspersky, a malware deployed by the threat actor is comprised of four modules, including a loader which is spread using RAR SFX files (self-extracted archives) containing names related to employees’ contact lists, technical documentation, and medical analysis results to trick employees into downloading the files. To ensure the malware remains undetected on the system the module uses steganography, a technique that allows malicious actors to conceal the fact that data is being exchanged.

In this case the main payload is disguised as a bitmap (a format for storing digital images) file. Upon receiving a specific command, the loader will use a custom-made algorithm to decrypt the content from the pixel array and run the malicious payload.

“The main malicious payload uses several encryption techniques of its own to evade detection, namely the use of an RSA algorithm to encrypt communications with the control server and to decrypt the main “tasks” assigned from the malware,” the researchers said.

According to Kaspersky, the MontysThree malware is designed to specifically target Microsoft and Adobe Acrobat documents. Its functionality also includes the ability to capture screenshots, gather info about network settings, host name and other data that helps the threat actor determine if the victim is worth their attention.

The collected information and other communications with the control server are then hosted on public cloud services like Google, Microsoft, and Dropbox, which makes it harder to detect traffic as malicious.

“MontysThree also uses a simple method for gaining persistence on the infected system—a modifier for Windows Quick Launch. Users inadvertently run the initial module of the malware by themselves every time they run legitimate applications, such as browsers, when using the Quick Launch toolbar,” the report said.

The researchers said they have not been able to find links in the malicious code or the infrastructure to any known threat actor.