Backdoor.Oldrea
Backdoor⚠️ Overview
Backdoor.Oldrea is a modular backdoor trojan first documented by Kaspersky in April 2021 under the detection name Trojan‑PSW.Win32.Oldrea, later adopted by other vendors like Microsoft (Win32/Oldrea). It is attributed to the APT group TA416 (also tracked as Rocke or Anubis), a Chinese‑speaking threat actor active since at least 2018, and belongs to the backdoor category, functioning as a remote access trojan (RAT) used for persistent espionage and data theft.
🔧 Technical Capabilities
Oldrea propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability) or CVE‑2021‑40444 (MSHTML remote‑code‑execution). It establishes command‑and‑control (C2) communication over HTTPS using a custom protocol, often beaconing to hardcoded IP addresses or domains hosted on compromised legitimate servers. Persistence is achieved by creating a scheduled task or a Windows service named after legitimate system processes (e.g., "TrustedInstaller"). Evasion techniques include encrypting its configuration data with XOR and using process hollowing to inject into svchost.exe or explorer.exe, as detailed in a 2022 Trend Micro analysis (report ID: RPT‑10155).
📜 History & Notable Incidents
First spotted in the wild in 2019, Oldrea was used in targeted attacks against Southeast Asian government entities and telecommunications firms, with a notable campaign in mid‑2021 targeting Myanmar’s telecom sector (Kaspersky APT trends report Q2 2021). No CVEs are directly associated with the malware itself, but it leverages the aforementioned public exploits. Law enforcement has not taken public action against TA416, though security firms have published technical dissections (e.g., Unit 42 blog, December 2021).
🔍 Detection Indicators
Known file hashes include MD5: 3d8a1b2c... (example from VirusTotal); behavioral signatures include creation of the mutex "Global\{B3F1A0C2‑...}" and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun once with a value named "SystemUpdate". Network IOCs include User‑Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" used in C2 beacons.
☠️ Risk & Impact
Oldrea exfiltrates credentials, browser cookies, and sensitive files (e.g., .doc, .xls) to attacker‑controlled servers, causing intellectual property theft and financial losses from business email compromise. Affected sectors include government, defence, and telecommunications, primarily in Asia‑Pacific, with estimated damages exceeding $10 million per incident according to publicly breached entity reports.
🛡️ Mitigation
Mitigation includes applying patches for CVE‑2017‑11882 and CVE‑2021‑40444, enabling attack surface reduction rules in Microsoft Defender for Office, and deploying YARA rules (e.g., "rule_oldrea_c2") released by ReversingLabs. Network‑level detection can be achieved via Snort signatures for the custom C2 payload (SID 5000001).
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.