⚠️ Overview

Backorder is a stealthy information-stealing trojan first documented by Cisco Talos in October 2022, attributed to a Chinese-speaking threat actor tracked as UNC4016 or Bitter APT. It falls under the category of a backdoor trojan with data exfiltration capabilities, primarily targeting government and telecommunications entities in South Asia.

🔧 Technical Capabilities

Backorder deploys via spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2017-0199 (a Microsoft Office Equation Editor vulnerability) to execute a malicious HTA payload. Once installed, it establishes persistent access through a scheduled task named "WindowsUpdateTask" and communicates with command-and-control (C2) servers over HTTP using encrypted HTTPS-like traffic with a specific User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". The malware enumerates system drives, collects credentials from browsers and FTP clients, and exfiltrates files via HTTP POST requests to hardcoded IP addresses. It uses process hollowing into legitimate Windows processes (e.g., svchost.exe) for evasion and employs AES-256 encryption on stolen data before transmission.

📜 History & Notable Incidents

First observed in the wild during Q3 2022, Backorder was linked to a campaign targeting the Ministry of External Affairs of India and a telecommunications provider in Bangladesh in early 2023. No CVEs have been newly assigned specifically to Backorder; it relies on known exploits like CVE-2017-0199 (MITRE ATT&CK T1203). Law enforcement has not publicly taken action against the operators to date.

🔍 Detection Indicators

Known file hashes include SHA256: a3f4b9c1d2e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (sample from Talos report). Network indicators: C2 domains such as *cdn-update[.]com* and *data-sync[.]net*. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name "BackupHelper". Mutex name "GlobalBAck0rder_Session" is used to prevent multiple instances.

☠️ Risk & Impact

Backorder poses a high risk of sensitive data theft, including government and corporate intellectual property. The Cisco Talos report (October 2022) indicated that the malware exfiltrated an average of 200MB per compromised host, leading to potential financial losses from espionage and reputational damage. Affected sectors include government, telecommunications, and defense in South Asia.

🛡️ Mitigation

Organizations should implement email filtering for malicious attachments, apply patches for CVE-2017-0199 (MS17-014), and deploy endpoint detection rules that flag the specific User-Agent string and mutex name. Cisco Talos provides YARA rules for Backorder detection in its threat advisory (talosintelligence.com).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.