{ "id": "03f8707a-6bf0-4da2-b788-14c2711fcea7", "created_at": "2026-04-06T00:11:10.852327Z", "updated_at": "2026-04-10T03:24:36.320489Z", "deleted_at": null, "sha1_hash": "1defaa3eb72c554214e297c77f7da16fff310639", "title": "In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3160949, "plain_text": "In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1\r\nPublished: 2017-04-05 · Archived: 2026-04-05 18:07:30 UTC\r\nThree weeks ago, FortiGuard Labs, along with @_ddoxer (Roland de la Paz), using VirusTotal Intelligence queries, spotted\r\na document with the politically themed file name “Senate_panel.doc”. This malicious RTF file takes advantage of the\r\nvulnerability CVE-2015-1641. Upon successful exploitation, it drops a malware in the %appdata%\\Microsoft directory. To\r\nevade suspicion by the victim, it also drops a decoy document which shows the symbol of the Ministry of Foreign Affairs of\r\nPakistan on the first page, but on the next pages shows an article about the Senate of Pakistan. \r\nDecoy document\r\nAs we were unable to identify which malware family the dropped malware belongs to, we tried to dig a bit further. Our\r\nanalysis exposed that this is a new variant of a malware dubbed as BADNEWS, which is actively being used in the\r\nMONSOON APT campaign. This variant steals documents from USB drives.\r\nThe first thing we wanted to learn is if there were other files similar to this malicious RTF file that had been submitted to\r\nVirusTotal after the discovery of the APT campaign was first published in August 2016. A quick similar-to: search in\r\nVirusTotal provided 3 results:\r\nVT similar-to: search gives 3 similar malicious RTF files\r\nIt looks very similar to file that was submitted to VirusTotal on 11/08/2016 with file name\r\n“Who_would_win_an_all_out_war_between_Pakistan_and_India.doc,” and another one submitted on 03/08/2017 with the\r\nfile name “Jobs.” Executing the files reveals that the first has a theme similar to the initially discovered file, while the other\r\nlooks like a United Nations career opportunities guide document. All of them drop the same malware, with only small code\r\nvariations.\r\nMalicious RTF\r\nIn this blog we will just run a quick analysis of the malicious RTF shellcode, as our colleague Wayne already did an in-depth\r\nanalysis of CVE-2015-41 here. RTFScan tells us that there are 4 objects in this RTF file, and dumps these objects as separate\r\nfiles.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 1 of 10\n\nObject 2 contains a zip file with “PK” header, which is obviously an embedded OLE document. When you extract the\r\ncontents of this OLE object, we notice that it contains 2 activeX.bin files (activeX1.bin and activeX2.bin)\r\nThe first contains the first-stage shellcode. The second contains the second-stage shell code, the malware, and decoy\r\ndocument.\r\nWe attached winword.exe to a debugger and opened the malicious RTF file to see what the shellcode does. As seen below,\r\nthe first stage shellcode searches for the marker 0xC24350D1 in the activeX2.bin file, then allocates memory where it copies\r\n0x88F bytes after the marker. The copied data is the second-stage shell code, and is decrypted using SUB 0x37 on each byte.\r\nAfter decryption, the second shell code is called.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 2 of 10\n\nThe second stage shellcode uses hardcoded offsets to locate the encrypted files.\r\nAfter decrypting the first file using SUB 0x37 on each byte, it drops the file as %appdata%\\Microsoft\\Templates\\msvcrt.dll.\r\nIt then drops the file ~Normal.dat in the same directory that contains the encrypted decoy document and the malware, along\r\nwith other legitimate files. The file msvcrt.dll is loaded using LoadLibraryW(). The shellcode then cleans up the registry in\r\nHKCU\\Software\\Microsoft\\Office\\1{0-6}.0\\Word\\Resiliency to prevent warning messages when someone re-opens a\r\ndocument that has crashed previously.\r\nThe msvcrt.dll file loads the ~Normal.dat file in memory. The decoy document is first decrypted using the same decryption\r\nalgorithm, and is dropped as %localappdata%\\Microsoft\\Windows\\.doc. It is started using hidden cmd.exe /c start .\r\nThe following files are also decrypted from ~Normal.dat file using the algorithm XOR 0x41, SUB 0x7 on each byte, and are\r\ndropped in the %appdata%\\Microsoft directory as:\r\nMicroScMgmt.exe\r\nmsvcr71.dll\r\njli.dll\r\nThe file MicroScMgt.exe is then executed using CreateProcessA(). The file jli.dll contains the malware dubbed as\r\nBADNEWS. BADNEWS was the name given to this malware as it uses news sites and blogs to obtain its C\u0026C servers.\r\nBADNEWS Backdoor\r\nBADNEWS uses a DLL side-loading technique with a signed Java executable to evade the Host Intrusion Prevention\r\nSystem (HIPS) of security programs that monitor the behaviors of executed files. Most HIPS tools whitelist signed or trusted\r\nfiles. This technique is reminiscent of the PlugX backdoor technique because it also piggybacked on signed legitimate files\r\nto execute the PlugX backdoor.\r\nMicroScMgmt.exe is a renamed version of java-rmi.exe, the legitimate Java Runtime executable version 6.0.390.4. This file\r\nneeds to load the legitimate DLLs msvcr71.dll and jli.dll to import some functions. However, the dropped jli.dll file here is\r\ncrafted to contain the BADNEWS code.\r\nAll functions exported by this jli.dll file point to a single routine, which is the malware code, so upon execution of the\r\nMicroScMgmt.exe file one of these functions will be called, effectively calling the malware code.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 3 of 10\n\nExport functions point to malware code\r\nAnti-Analysis Techniques\r\nThe malicious DLL file is not packed ,but is obfuscated to deter analysis.\r\nAnti-sandbox/emulator\r\nA long loop has been added before it performs its malicious routines. Many sandboxes and emulators only run for a certain\r\nshort period of time until they time-out, so malware behavior usually are not captured when malware goes in a long loop\r\nbefore it performs its routines. An emulator, though, that can patch files it tries to emulate, can easily bypass long loops.\r\nLong loop as anti-sandbox/emulator\r\nReversed, Garbage, and Encrypted Strings\r\nBADNEWS has a lot of reversed, garbage, and encrypted strings. However, the string encryption is just a simple minus 1 on\r\neach byte.\r\nAPI resolution\r\nTraversing the export table to get the API address is an old technique used by malware, but if a malware like BADNEWS\r\ndoes this, most of the time it calls a Windows API without any function for it. That could be very annoying to analyze, as\r\nmanually setting the type of variables is needed in IDA for each resolution in order to get proper decompilation.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 4 of 10\n\nLoadLibraryA() is resolved twice\r\nAuto-Start Mechanism\r\nThis malware creates the following registry entry, so it starts when the machine reboots.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nJUSCHED = %Appdata%\\Microsoft\\MicroScMgmt.exe\r\nCreates Threads\r\nBADNEWS backdoor also creates 2 threads. One performs key-logging, and the other one steals documents from USB\r\ndrives.\r\nKey-logging\r\nThe first thread creates a hidden window to log keystrokes, and saves them to a file named %temp%\\TPX498.dat.\r\nHidden window creation\r\nWhen the window procedure is called, the function checks to see if the message the window received is\r\nWM_LBUTTONDOWN. This means the user presses the left mouse button, and this is when it starts to log keystrokes.\r\nThe file TPX498.dat starts with the marker “K L T N M :    Appdat” followed by the keyboard layout code which signifies\r\nthe language. The rest is a list of information about the captured keystrokes. The information contains the date when the\r\nkeystrokes were captured, the window title, and the keys pressed while on the window. In the example below, the language\r\ncode is 0x0409, which means English – US. It shows that the user left-clicked on the window with title Temp (active\r\nwindow is Windows explorer, the user is exploring the %temp% directory,) which started the keylogging routine.\r\nTPX498.dat file contains the logged keystrokes\r\nStealing Documents from USB Drives\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 5 of 10\n\nThe second thread again creates a hidden window to monitor when a new USB device is added to the machine. It does this\r\nby first checking to see if the message received by the window is WM_DEVICECHANGE.\r\nDevice change detection\r\nIt then sends the IOCTL_STORAGE_QUERY_PROPERTY control code to all volume devices. The devices should return a\r\nSTORAGE_DEVICE_DESCRIPTOR data containing the BusType. If the BusType is BusTypeUsb (0x07), the thread then\r\nknows that the new device is a USB drive, and the stealing routine is called.\r\nBusType should be BusTypeUsb to enable stealing of documents\r\nThe function then creates a folder named “SMB” in the %temp% folder and creates a folder with the following name format\r\n,where it stores the stolen files for each USB drive it tries to steal documents from.\r\nEx.\r\nThe files in the USB drive are then checked to find documents to steal. The documents it tries to steal have the following\r\nextension names, with file size less than 15MB:\r\nEarlier variants also steal files with extension names .xls, .xlsx, .rtf, .zip, .7z, .rar.\r\nThe following files are created in the SMB folder:\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 6 of 10\n\nThe MUT.dat file looks like a dummy file, and is not used. TZ0000001.dat contains filenames and file sizes found in the\r\nUSB drive. If the file size is greater than 15 MB, or the file doesn’t have the file extension above, it will mark it as “HUGE:”\r\nso it will not be stolen. Otherwise, a 0 will be appended following the file name.\r\nThe file TZ0000002.dat contains a list of files to be stolen. Files with file name with random alphanumeric characters\r\nwithout extension names are actually copies of the files it tries to steal. When opened, a file contains the file path and the\r\ncontents of the file.\r\nCommand and Control Communication\r\nBADNEWS backdoor has a bit of an interesting way of getting an updated C\u0026C server. It uses legitimate web services like\r\nGithub, Dynamic DNS, RSS feed, blog, and forum websites to host encrypted data that contains the actual C\u0026C server.\r\nBelow are the hardcoded URLs where the encrypted data is hosted:\r\nhxxp://www.webrss.com/createfeed.php?feedid=49321\r\nhxxp://feed43.com/0414303388550176.xml\r\nhxxps://r0nald2017.wordpress.com/2017/02/16/my-first-post/\r\nhxxps://github.com/r0nald2017/project1/blob/master/xml.xml\r\nr0b1n.crabdance.com\r\nr0nald.ignorelist.com\r\nThis technique does not just make it easy to update the C\u0026C server, but also so that security vendors can’t proactively block\r\nthe hardcoded URLs since they point to legitimate services.\r\nEncrypted C\u0026C server information hosted in Github\r\nThe above data is encrypted by performing ROR by 3 bits and XOR by 0x23 on each byte, converting the result to\r\nhexadecimal representation and lastly encode it with base64. When decrypted, the real C\u0026C URL is revealed.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 7 of 10\n\nThe C\u0026C server is written to the file %temp%\\TZ90.dat as a backup in case the URLs embedded in the malware body are\r\nalready down.\r\nAfter obtaining the C\u0026C URL, this backdoor generates a unique identifier for the machine using a value from\r\nGetTickCount() and prepares a message containing the generated UID, system information and the malware version:\r\nThe UID is saved in the file %temp%\\T89.dat so the same UID will be used every time it contacts the C\u0026C server. The\r\nmalware version seems to be bogus though, as earlier variants found in 2015 also use v=2.2 ]which is hardcoded in the\r\nmalware body. Username and computer name are in Unicode and in hexadecimal representation.\r\nThis message is encrypted using the above encryption algorithm before it is sent to the C\u0026C server via HTTP POST. To\r\nfurther obfuscate the message, it splits it into several bogus fields with randomly generated names so it looks like a normal\r\nquery string.\r\nHTTP POST data contains bogus fields\r\nCommands\r\nOne of things that makes BADNEWs backdoor a bit difficult to analyze, as with other bots, is that the server doesn’t always\r\nrespond. It took us 1.5 weeks of monitoring to finally get a response. However, it looks like the bad guy manually controls\r\nthe C\u0026C every time it becomes active. The moment we got a response, the bad guy issued a command to capture a\r\nscreenshot, which was sent back to him. After that, we got a “403 Forbidden” response. It also looks like the IP address that\r\nwas used during monitoring was blocked.\r\nCommands received from the server have the format :. Encrypted data uses the above encryption algorithm, and can contain\r\na URL where a file is downloaded, or a file path to upload to the C\u0026C server, or a command for the remote shell.\r\n“snp”: command to take screen shot then send to C\u0026C\r\nBelow are the commands found in the malware body, along with their descriptions:\r\nCommand Description\r\nshell Download a file and save it as %temp%\\up\r\nlink Download a file, save it as %temp%\\up\u003c2 random characters\u003e.exe or %appdata%\\Microsoft\\Internet Explorer\\mmln\u003c2 random letters\u003e.ex\r\nmod Download a DLL (possibly a plugin), save it as %appdata%\\Microsoft\\mmln.dll or %temp%\\up\u003c2 random characters\u003e.dll (this is not imm\r\nupd Download a file (possibly an updated copy), and save it as %temp%\\up.exe\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 8 of 10\n\ndwd Create an empty file in the %temp% named TY10.dat and send it to C\u0026C\r\nkl Send the file %temp%\\TPX498.dat that contains the logged keys to C\u0026C\r\nsnp Take a screenshot, save it as %temp%\\TPX499.dat, and send it to C\u0026C\r\nustr Send stolen documents saved in the %temp%\\SMB folder to C\u0026C\r\nsdwl Send specified file to C\u0026C\r\nutop Disable sending of stolen documents to C\u0026C\r\nhcmd Remote shell using hidden cmd.exe, pipe the output to %temp%\\DMCZ0000.dat, then send it to C\u0026C\r\n{{ Decrypt the data inside {{ }} and use it as C\u0026C URL. This is similar to the way it initially obtained the C\u0026C from legitimate web service\r\nok Do nothing\r\nFor the commands where this malware needs to send a file to the C\u0026C, there are 4 messages it sends to the C\u0026C. If it’s not\r\nsending a file, it sends just the last one, signifying that a command has been performed. Below are the 4 messages, in the\r\norder of when they are sent. The “tt” parameter contains the file.\r\n“\u0026tt” field contains the file it uploads\r\nHere are some interesting observations about the how the commands were implemented. First, it looks like for the\r\ncommands “mod” and “upd” the author intends to execute the downloaded files, but there’s a bug in the code where\r\nLoadLibraryA() function is called. Instead of passing the path of the downloaded file as a parameter, it passes the contents of\r\nthe file, therefore LoadLibraryA() sets the error ERROR_MOD_NOT_FOUND. For the commands “link”, “mod”, and\r\n“upd”, if the malware fails to create the files they are executed using process hollowing. The file downloaded using the\r\ncommand “shell” is not executed, however the remote shell can be used to execute it manually by the attacker.\r\nHidden CMD\r\nWhen this backdoor receives the “hcmd” command, it creates a hidden “cmd.exe” process. This hidden cmd.exe acts as a\r\nremote shell that uses the standard input and output to pipe the commands from the C\u0026C server to the cmd.exe, and the\r\noutput to a created file in %temp% folder named DMCZ0000.dat.\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 9 of 10\n\nHidden cmd.exe process\r\nTo better understand how this works, Microsoft published an article describing how to create a child process with redirected\r\ninput and output.\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/ms682499(v=vs.85).aspx\r\nThe DMCZ0000.dat file is then sent to the C\u0026C server.\r\nDMCZ000.dat contains cmd.exe output\r\nIn part 2 of our analysis, we will try to discover who might be behind the distribution of these malicious files.\r\n-= FortiGuard Lion Team =-\r\nSource: http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nhttp://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1" ], "report_names": [ "in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434270, "ts_updated_at": 1775791476, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1defaa3eb72c554214e297c77f7da16fff310639.pdf", "text": "https://archive.orkl.eu/1defaa3eb72c554214e297c77f7da16fff310639.txt", "img": "https://archive.orkl.eu/1defaa3eb72c554214e297c77f7da16fff310639.jpg" } }