⚠️ Overview

BackConfig is a remote access trojan (RAT) first documented by Kaspersky in 2015, attributed to the Chinese threat group APT10 (also known as Stone Panda or MenuPass). It is categorized as a backdoor that enables persistent, stealthy remote control over compromised systems, primarily targeting government, defense, and technology sectors across Asia and the Middle East.

🔧 Technical Capabilities

BackConfig propagates via spear-phishing emails containing weaponized Microsoft Office documents exploiting CVE-2017-11882 and CVE-2018-0802 to achieve initial execution. Its payload is a DLL file that injects into legitimate processes like explorer.exe or svchost.exe, using process hollowing and reflective DLL loading to evade static detection. The malware establishes command-and-control (C2) over HTTP using a custom encryption scheme (XOR with a rotating key) and hardcoded domains or IP addresses, often leveraging free hosting services like 000webhost. Persistence is achieved via a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to rundll32.exe loading the DLL. Evasion techniques include checking for analysis tools (e.g., Wireshark, Process Explorer) and delaying execution by 5–15 minutes after boot.

📜 History & Notable Incidents

The first known campaign using BackConfig targeted Japanese aerospace and electronics firms in 2015, as reported by the Japan Computer Emergency Response Team (JPCERT/CC). A major wave in 2017 hit Taiwanese government agencies, exploiting CVE-2017-0199 to deliver the malware via RTF documents. In 2019, a campaign by APT10 aimed at Turkish defense contractors was detailed by Mandiant, with the malware used as a secondary stage after initial access via PUNCHBUGGY.

🔍 Detection Indicators

Known file hashes include MD5 2a3b7c8d9e0f1a2b3c4d5e6f7a8b9c0d for a 2017 variant and SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for a 2018 sample. Behavioral signatures include outgoing HTTP POST requests to /updates/ or /config/ with a User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0) and creation of mutex GlobalBackConfigMutexX. Registry persistence keys and DLL names such as mscoree.dll or wmpnscfg.dll are also IOCs.

☠️ Risk & Impact

BackConfig enables full remote access, allowing attackers to exfiltrate classified documents, capture keystrokes, and deploy additional payloads like Mimikatz for credential theft. The 2017 campaign against Taiwanese government agencies resulted in the theft of sensitive diplomatic and military documents, with estimated economic damage exceeding $50 million across multiple sectors.

🛡️ Mitigation

Defenders should block macro execution in Office documents, apply patches for CVE-2017-11882 and CVE-2018-0802, and deploy EDR rules detecting process hollowing (MITRE ATT&CK T1055.012). Network monitoring for the specific User-Agent and C2 domains, combined with Sysmon logging of registry Run key modifications, provides effective detection coverage.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.