Rewterz Threat Alert – BackConfig Malware Targeting Government and Military Organizations in South Asia

May 14, 2020

Severity

High

Analysis Summary

Hangover threat group’s use of the BackConfig malware in attacks against government and military organizations in South Asia. In almost all cases, the initial malware was hosted on a compromised site and a link was sent to targets in spear phishing emails. Besides the usage of an RTF document in a couple instances, a macro-enabled XLS document was the main format of the initial file. The decoy content in the document uses a theme relevant to the target, such as housing program registration forms in the country of interest. The macros then proceed to perform the tasks needed to ultimately infect the system with the BackConfig malware. The specific steps taken to do this have evolved over the years. The most recent version uses a combination of text files and batch scripts dropped by the macro to ultimately download the BackConfig payload from a remote URL. Persistence is also established by the macro code via scheduled tasks. Once on the system, BackConfig’s modular architecture can be used to perform a variety of tasks, such as gathering system information, keylogging, and downloading additional payloads.

Impact

Information theft
Exposure of sensitive data

Indicators of Compromise

SHA-256

56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c
021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b
be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461
0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf
ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb
752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f
4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB
C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9
6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3
750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580
5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295
f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e
98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e
29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096
abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003
02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

CVE-2024-32638 – Apache APISIX Vulnerability

Multiple SAP Products Vulnerabilities

Multiple IBM Products Vulnerabilities

Threat Insights

About Us

Our Leadership

CSR

Connect with Us