(Palo Alto) The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-07-18 by Unit 42 from Palo Alto Networks Unit 42
2020-06-03 by Doel Santos from Palo Alto Networks Unit 42
Tool: BackConfig
Names: BackConfig
Description: (Palo Alto) The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.
Category: Malware
Type: Backdoor
Information: https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
Information: https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/
Mitre-attack: https://attack.mitre.org/software/S0475/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:backconfig
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL backconfig can download and run batch files to execute commands on a compromised host. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC backconfig has used vbs to install its downloader component and malicious documents with vba macro code. T1106 NATIVE API backconfig can leverage api functions such as shellexecutea and httpopenrequesta in the process of downloading and executing files. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK backconfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host. T1204.001 USER EXECUTION : MALICIOUS LINK backconfig has compromised victims via links to urls hosting malicious content. | T1137.001 OFFICE APPLICATION STARTUP : OFFICE TEMPLATE MACROS backconfig has the ability to use hidden columns in excel spreadsheets to store executable files or commands for vba macros. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK backconfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK backconfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION backconfig has used a custom routine to decrypt strings. T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES backconfig has the ability to set folders or files to be hidden from the windows explorer default view. T1070.004 INDICATOR REMOVAL : FILE DELETION backconfig has the ability to remove files and folders related to previous infections. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION backconfig has hidden malicious payloads in %userprofile%\adobe\driver\dwg\ and mimicked the legitimate dhcp service binary. T1027.010 OBFUSCATED FILES OR INFORMATION : COMMAND OBFUSCATION backconfig has used compressed and decimal encoded vbs scripts. T1553.002 SUBVERT TRUST CONTROLS : CODE SIGNING backconfig has been signed with self signed digital certificates mimicking a legitimate software company. | T1083 FILE AND DIRECTORY DISCOVERY backconfig has the ability to identify folders and files related to previous infections. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS backconfig has the ability to use https for c2 communiations. T1105 INGRESS TOOL TRANSFER backconfig can download and execute additional payloads on a compromised host. |