Threat Analysis

The Mirage Campaign

  • Author: Silas Cutler, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence
  • Date: 18 September 2012


Since April 2012, the Dell SecureWorks Counter Threat Unit™ (CTU) research team has been tracking a cyber espionage campaign that uses a remote access trojan (RAT) named Mirage (also known as MirageFox). This ongoing attack has targeted a high-profile oil company in the Phillipines, a military organization in Taiwan, an energy company in Canada, and several as yet unidentified entities in Brazil, Israel, Egypt and Nigeria.


Distribution vector

Based on the data collected by the CTU research team, the campaign's primary attack vector is spearphishing email that targets mid-level to senior-level executives. These emails contain an attachment that includes a malicious payload that installs a copy of Mirage.

CTU researchers have identified several files that drop and execute a copy of Mirage onto a target system. These "droppers" are designed to look and behave like PDF documents. However, the droppers are stand-alone executable files that open an embedded PDF file and execute the Mirage trojan. In one example, CTU researchers observed an executable file (MD5 hash ce1cdc9c95a6808945f54164b2e4d9d2) that upon execution drops a copy of Mirage and opens an embedded PDF of a news story titled "Yemeni Women can participate in politics just like men, says President Saleh" that was posted on the Yemen Observer's website.

Behavior analysis

The CTU research team has identified two main variants of the Mirage trojan. These variants are based on key evolutionary differences in the execution and encodings used in communication with the command and control (C2) servers.

When Mirage executes, the original file copies itself to a folder under C:\Documents and Settings\<USER>\ or C:\Windows\ and then deletes the original file. After the initial copy, Mirage starts the newly created file and exits the original. The newly started copy creates registry keys to ensure that the system remains infected after every reboot. CTU researchers have observed the following filenames created after execution:

  • svchost.exe
  • ernel32.dll
  • thumb.db
  • csrss.exe
  • Reader_SL.exe
  • MSN.exe

Phone-home and C2 operations

The data sent by Mirage shares attributes with the malware family known as JKDDOS, which was researched by Arbor Networks. In its initial phone-home connection, JKDDOS sends a system profile to the C2 server. This profile contains the CPU speed, memory size, system name and username. Similar information and encoding techniques are seen in the initial phone-home requests of Mirage infections.

Mirage phones home to its C2 servers using a standard HTTP request. From the activity CTU researchers have observed when executing Mirage in a malware sandbox, this communication commonly occurs over ports 80, 443 and 8080, and it can implement SSL for added security.

The earliest variant of Mirage uses an HTTP POST request to transmit the initial phone-home request. This phone-home request contains detailed system information of the infected system to give the C2 server a rough profile of each system that is infected and that is calling home.

Figure 1. Phone-home request (variant 1).

The payload is encoded with a simple cipher to mask the data being sent to the C2 server. The cipher encodes the payload by adding each character's ASCII value by its offset from the start of the payload.

    Raw values M i r a g e
    Raw hex 0x4d 0x69 0x72 0x61 0x67 0x65
    Raw decimal 77 105 114 97 103 101
    Encoded decimal 77 106 116 100 107 106
    Encoded hex 0x4d 0x6a 0x74 0x64 0x6b 0x6a
    Encoded values M j t d k j

Table 1. Payload encoding.

The initial payload starts with the word "Mirage", which in its encoded state is "Mjtdkj". From there, Mirage encodes and sends the MAC address, CPU information, system name and username in the initial request to the C2 server.

If the C2 server successfully receives the request, then it responds with an HTTP response code "200 OK". The word "Mirage" appears in its payload, followed by two null bytes. If there is no response or an invalid response from the C2 server, the infected system continues to send its initial phone-home request at regular intervals.

Figure 2. Decoded payload (variant 1).

If the infected system connects successfully to the C2 server, then the infected system continues to send regular check-in updates. These updates are transmitted the same way as the initial phone-home request; however, only the MAC address of the infected system is sent in the payload.

Figure 3. Decoded check-in update (variant 1).

The second variant of Mirage uses HTTP GET requests instead of HTTP POST requests to transmit the phone-home requests' payload. This evolved variant's initial phone-home request's payload is contained in a Base64-encoded string in the initial request. The decoded Base64 payload contains a second level of encoding that has several variations. The data being transmitted in the encoded string contains the same data as the previous variant, as well as some additional data. One change is the text at the beginning of the phone-home payload. Instead of the word "Mirage" used in earlier variants, later variants use the phrase "Neo, welcome to the desert of the real", a quote from the movie The Matrix.

Figure 4. Sample request (variant 2).

The CTU research team has seen the encoding used in variant 2 in other malware families. One such malware family is Lingbo, which uses a similar encoding algorithm but does not contain some of the major characteristics of Mirage. Samples from both malware families have included strange embedded quotes. Instead of Mirage's quote from The Matrix, Lingbo contains the embedded quote "It is the end of the world and I feel Fine", from the REM song "It's the end of the world."

Custom versions and variants

The CTU research team identified several Mirage variants that had unique attributes not designed for widespread targeting. These custom variants were designed to operate under specific conditions and to evade common system defenses. CTU researchers also found several samples that contained debugging information, possibly from early versions.

One of the variants was seen in a subset of samples that had been modified specifically for the environment targeted by the threat actors. These samples had been configured with default credentials for the targeted environment's web proxy servers. The following proxy usernames and password combinations appear in the samples collected by the CTU research team:

  • a1:a1
  • pagmb:pa
  • quickheal:quickheal

In the debugging versions, the CTU research team discovered two strings that identified the source code paths from which the samples were compiled:

  • D:\....\MF-v1.2\Server\Debug\Server.pdb (MD5 hash fa26f410d0133f4152ea78df3978c22)
  • E:\fox_1.2 20110307\MF-v1.2\Server\Release\MirageFox_Server.pdb (MD5 hash 1045e26819ff782015202838e2c609f7)

The .pdb file extension is commonly used with Microsoft Visual Studio. Its use in these debugging versions coincides with the samples for Mirage, which were written using Microsoft Visual C++. CTU researchers also noted that the original name of the trojan used in the path is MirageFox, which is likely the name used by the threat actors.

This information leads to two potential conclusions:

  1. The two variants of MF-v1.2, the debug version and the release version, allow the threat actors to customize variants. CTU researchers have already seen this activity.
  2. The use of different drive letters but similar source code paths may indicate that the threat actors are keeping a repository of tools on a central file server for shared use.

Identification of victims

From May to the date of this publication, the CTU research team engaged in a sinkholing operation. During the operation, several of the domains formerly used as part of the C2 infrastructure were taken over, and all activity to the domains was logged. The sinkholed domains were no longer in use and were freely available for registration.

During the operation, CTU researchers were able to identify approximately 80 IP addresses regularly communicating to the sinkhole. After analyzing and decoding the requests, CTU researchers discovered that a subset of the observed systems had usernames such as "admin" or "owner", and the originating IP address resolved to either a residence or an antivirus or security company. Because these requests were most likely from behavioral testing on the malware sample, the CTU research team filtered these connections out of the results.

After decoding the inbound requests, the CTU research team identified approximately 100-120 infected systems attempting to phone home. The majority of the inbound requests came from Taiwan or the Philippines, with several isolated cases in Nigeria, Brazil, Israel, Canada and Egypt. Many of the IP addresses originate from networks owned by the oil company, energy company, and military organization.

Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company.

Figure 5. Sources of infected hosts.

Threat actors

The threat actors using Mirage have employed several tactics to attempt to hide their identities and their primary C2 servers. One of the common tactics is using dynamic domain name system (dDNS) domains for the callbacks to the C2 servers. dDNS providers (e.g., allow anyone to register for a free third-level domain (e.g., and require only a valid email address, which is kept private.

When investigating the DNS addresses of the C2 servers, CTU researchers identified several IP addresses of hosting companies based in the United States that are running HTran. HTran software is used to proxy connections from one system to another. In the past, it has been used to disguise the true C2 servers used by malware authors. In the CTU research team's 2011 analysis of HTran, the software's author was identified as a member of the Chinese hacker group HUC, the Honker Union of China.

Despite efforts to operate anonymously, there were several clues that pointed to the true identities of the attackers. During an analysis of the phone-home activity, CTU researchers identified four unique second-level domains that were not connected to a dDNS provider. Two of these domains shared a common owner's email address, and two were previously flagged for suspicious activity.

Table 2. Unique second-level domains.

CTU researchers correlated 86% of the IP addresses the dDNS domains used in the phone-home request to IP addresses of subdomains belonging to domains owned by [email protected]. Of the remaining 14% that were not directly associated, CTU researchers correlated 10% to IP ranges that resolved to subdomains owned by [email protected].

Figure 6. Analysis of IP addresses. (Source: Dell SecureWorks)

This link between the IP addresses and the subdomains indicates that [email protected] owns the dDNS domains. Using historical DNS records, CTU researchers were able to map each of the dDNS domains to a subdomain of a domain owned by [email protected].

Figure 7. Details of IP range.

In the samples CTU researchers analyzed, the other domains associated with the phone-home activity are, and The CTU research team previously flagged these domains in the HTran investigation and later in the Sin Digoo analysis. The analysis of the Sin Digoo affair indicated that [email protected] and [email protected] were connected. From the data the CTU research team has collected, indications point to [email protected] being either another alias or an associate of the actor referenced in the HTran and Sin Digoo analyses.

Figure 8. A common phone number was found to link and


Mirage represents only one small piece of malware involved in an ongoing worldwide campaign. Over the past few years, these campaigns have become extremely successful, and a great deal of intellectual property and company secrets has been stolen from the targeted companies.

For companies in the targeted industries, it is important to have a strong perimeter security line in place. Using active intrusion detection and prevention systems as well as DNS monitoring for malicious domains is essential to detecting this activity. Companies that use the Yara malware identification and classification tool for scanning local systems can use the rules provided in the appendix to search for potential infections.

Traditionally, the success of botnets created by threat actor groups has been measured by the quantity of infected systems and the difficulty to defend against in the long term. These targeted attacks show that a successful campaign requires only a small quantity of infected systems to accomplish the attackers' objectives and to yield extremely powerful results.


Yara rules

    rule Mirage_APT_Backdoor : APT Mirage Backdoor Rat MirageRat
                   author = "Silas Cutler ([email protected])"
                   version = "1.0"
                   description = "Malware related to APT campaign"
                   type = "APT Trojan / RAT / Backdoor"
                   $a1 = "welcome to the desert of the real"
                   $a2 = "Mirage"
                   $b = "Encoding: gzip"
                   $c = /\/[A-Za-z]*\?hl=en/
                   (($a1 or $a2) or $b) and $c

MD5 hashes


Back to more Threat Analyses and Advisories

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.