LIGHTRAIL: Highway to Where?
In addition to the MINIBIKE and MINIBUS backdoors, Mandiant observed a tunneler named LIGHTRAIL likely affiliated with UNC1549 as well.

LIGHTRAIL has several connections to MINIBIKE and MINIBUS in the form of (1) a shared code base, (2) Azure C2 infrastructure with similar patterns and naming, and (3) overlapping targets and victimology.

LIGHTRAIL communicates with an Azure C2 subdomain of the form
*[.]*[.]cloudapp[.]azure[.]com. Mandiant assesses with medium confidence that both LIGHTRAIL and MINIBIKE were used to target the same victim environment at least once.

LIGHTRAIL likely leverages the open-source utility “Lastenzug” (“freight train” in German), a Socks4a proxy based on websockets with a “static obfuscation on [the] assembly level.” LIGHTRAIL’s export DLL is named “lastenzug.dll,” and it shares the same hard-coded User Agent as Lastenzug.

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136
Mandiant observed two LIGHTRAIL versions used at least since November 2022. Similarly to MINIBIKE, no “official” versions were embedded in LIGHTRAIL’s code, but the instances can be divided to two versions.



Changes (Compared to Earlier Version)


Example MD5


November 2022

- C2 domains: tnlsowki[.]westus3[.]cloudapp[.]azure[.]com


- Export DLL named “lastenzug.dll”, likely referring to the open-source Socks4a proxy




August 2023

- C2 domain: iaidevrssfeed[.]centralus[.]cloudapp[.]azure[.]com

- Export DLL named “Lastenzug.dll” (capital ‘L’)

- String obfuscation, similar to MINIBIKE