{ "id": "1d8b44d4-5bfe-4513-aa65-7524165df1b5", "created_at": "2026-04-06T00:18:23.478591Z", "updated_at": "2026-04-10T03:24:36.144781Z", "deleted_at": null, "sha1_hash": "0e29b12113c357d86236ff8af1c11af0a06db151", "title": "In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1788967, "plain_text": "In-Depth Look at New Variant of MONSOON APT Backdoor, Part\r\n2\r\nPublished: 2017-04-05 · Archived: 2026-04-05 17:12:04 UTC\r\nIn part 1 of FortiGuard Labs’ analysis of a new variant of the BADNEWS backdoor, which is actively being used\r\nin the MONSOON APT campaign, we did a deep technical analysis of what this backdoor of capable of and how\r\nthe bad guys control it using the command and control server. In this part of the analysis, we will try to discover\r\nwho might be behind the distribution of these files. \r\n Who’s Behind these Malicious Files\r\nIn part 1, we discussed that the BADNEWS backdoor is being dropped by a malicious RTF exploiting CVE-2015-\r\n1641. Interestingly, these RTF exploits contain an INCLUDEPICTURE field to insert a picture into the document\r\nwhich points to these URLs:\r\nhxxp://aliandqazi.com/Jobs/\r\nhxxp://www.tassonedil.it/news/\r\nhxxp://www.justfood.pk/news/\r\nCuriously, we tried visiting the URL hxxp://www.justfood.pk/news/ from the RTF exploit to see the reply:\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 1 of 8\n\nThe URL returns the DOC file, “Senate_panel.doc.” However, the file returned is only 8 bytes long. Interestingly,\r\nit contains next sequence of bytes:\r\n“0D 0A 20 20-20 20 20 20”:\r\n“0D 0A” – is a “\\r\\n” – standard sequence of bytes for new line.\r\n“20” – is a spacebar.\r\nThere is not much we can tell from the content of this file, but the name of the returning file, “Senate_panel.doc”,\r\nis not accidental. This name is closely tied with the file content. Moreover, the initial RTF exploit was submitted\r\non VT with this name:\r\nSo this is not a coincidence, and the people who crafted the RTF exploit somehow control Justfood.pk.\r\nSo let’s now look at this main page of the site:\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 2 of 8\n\nWe see that this site was hacked by somebody with the Nickname R00T D3STR0Y3R. And it was hacked before\r\nthe RTF file was uploaded on VT.\r\nHere is a screenshot from hacker’s database, from February of 2017.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 3 of 8\n\nAs we can see, Justfood.pk was hacked by R00T D3STR0Y3R from the  anti-Pakistan group “LulzSec india,” and it\r\nis happened no later than 2017-02-09.\r\nThe RTF exploit file was uploaded on VT on 2017-03-06. So there is a good chance that R00T D3STR0Y3R\r\nalready controlled this site when it was used for attacks with the RTF exploit.\r\nWe can’t tell for sure if R00T D3STR0Y3R stands behind the BadNews attacks, or this may just be a coincidence\r\nand he merely “defaced” the site that was used by another anti-Pakistan group.\r\nBut that seems unlikely. However, we think that the legal authorities of India have no need to guess since it is very\r\nprobable that they can ask R00T D3STR0Y3R in person.\r\nActually, finding R00T D3STR0Y3R’s real identity was pretty easy and straightforward.\r\nFirst, we found this script on the cxsecurity site:\r\nhttps://cxsecurity.com/search/author/DESC/AND/FIND/1/10/r00t+d3str0y3r/\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 4 of 8\n\nInside the script there are credits to “R00T D3STR0Y3R,” along with greetings to “Lulzsec India” and “All indian\r\nHackers”:\r\nThere is also a reference to this Facebook page.\r\nhttps://www.facebook.com/rootdestroyer\r\nWe followed the link and…\r\nPlease welcome Mukund Rajput from the “Dr. Jivraj mehta Institute Of Technology”:\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 5 of 8\n\nThis page claims that Mukund and r00t d3str0y3r are the same person.\r\nOf course, we can’t tell if this claim is true or not. But we hope that Indian Law enforcement agencies try to\r\nanswer that question.\r\nConclusion\r\nBADNEWS backdoor is not a sophisticated piece of malware. In fact, it doesn’t use any new malware techniques\r\nat all. It is neither packed nor heavily obfuscated. Its tring obfuscation is just simple reversing and minus 1\r\nencryption. But, it uses proven techniques to bypass the HIPS detection used by security programs by\r\npiggybacking onto a signed legitimate file, which allows it to deliver its malicious payload. It also proves, once\r\nagain, that there’s rarely any need to use stealthier or more sophisticated attacks, because simple techniques work.\r\nBad news though for the bad guys, and good news for our customers, as Fortinet covers detection for the\r\nBADNEWS backdoor as W32/Bdnews.A!tr.bdr and the malicious RTF as MSOffice/CVE_2015_1641.A!exploit.\r\nC\u0026C URLs were also blocked by Fortinet’s Web Filter.\r\n-= FortiGuard Lion Team =-\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 6 of 8\n\nIOCs:\r\nSha256:\r\nbf93ca5f497fc7f38533d37fd4c083523ececc34aa2d3660d81014c0d9091ae3\r\n17c3d0fe08e1184c9737144fa065f4530def30d6591e5414a36463609f9aa53a\r\n8e0574ebf3dc640ac82987ab6ee2a02fc3dd5eaf4f6b5275272ba887acd15ac0\r\n0c63ef29d5a9674a00bb71a150d2ae6f3dc856a43291e79260992f08fdcd53d3\r\n0c63ef29d5a9674a00bb71a150d2ae6f3dc856a43291e79260992f08fdcd53d3\r\n722e8909235ae572c7baa522a675ce45ac7e10170be7428de74d04f051f473c9\r\nf61aa8c6590926533b67467603d2f42cdb1d5e1f20a5439d7e58fdaf81710711\r\nc9642f44d33e4c990066ce6fa0b0956ff5ace6534b64160004df31b9b690c9cd\r\nC\u0026C Urls:\r\nhxxp://www.webrss.com/createfeed.php?feedid=49321\r\nhxxp://feed43.com/0414303388550176.xml\r\nhxxps://r0nald2017.wordpress.com/2017/02/16/my-first-post/\r\nhxxps://github.com/r0nald2017/project1/blob/master/xml.xml\r\nr0b1n.crabdance.com\r\nr0nald.ignorelist.com\r\nhxxps://musicall12.wordpress.com/29-2/\r\nhxxp://overthemontains.weebly.com/paragliding-stuff\r\nhxxps://raw.githubusercontent.com/Zunaid-zunaid1/project11/master/xml.xml\r\nd0nald1.strangled.net\r\nd0nald2.strangled.net\r\nd0nald.strangled.net\r\nhxxp://feed43.com/5787707581531238.xml  \r\nhxxp://www.webrss.com/createfeed.php?feedid=49297\r\nhxxps://robins0n12.wordpress.com/2017/01/31/my-biography/   \r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 7 of 8\n\nhxxps://raw.githubusercontent.com/devonkearns/cricket/master/xml.xml    \r\nmaxx.crabdance.com  \r\nmu5.ignorelist.com\r\nhxxp://80.255.3.96/r0g3r/dqvabs.php\r\n185.82.217.200/@lb3rt/dqvabs.php\r\nhxxp://80.255.3.96/max1mu5/dqvabs.php\r\nSource: http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" ], "report_names": [ "in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775791476, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e29b12113c357d86236ff8af1c11af0a06db151.pdf", "text": "https://archive.orkl.eu/0e29b12113c357d86236ff8af1c11af0a06db151.txt", "img": "https://archive.orkl.eu/0e29b12113c357d86236ff8af1c11af0a06db151.jpg" } }