⚠️ Overview

BADAUDIO is a backdoor trojan first documented in 2010 by researchers at Kaspersky Lab, attributed to the advanced persistent threat group APT-C-36 (also tracked as Blind Eagle or APT37). It belongs to the Remote Access Trojan (RAT) category and has been primarily used for espionage campaigns targeting government, military, and diplomatic entities in South Asia, particularly India, Pakistan, and Bangladesh.

🔧 Technical Capabilities

BADAUDIO propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2012-0158 and later CVE-2017-11882 to drop the payload. Once executed, it establishes persistence by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware communicates with command-and-control (C2) servers over HTTP using encrypted strings that incorporate the victim’s computer name and username as part of the beacon data. It uses process hollowing to inject into legitimate processes like svchost.exe and employs anti-debugging checks, including a NtQueryInformationProcess API call to detect sandbox environments. Keylogging, screen capture, file exfiltration, and remote shell execution are core capabilities.

📜 History & Notable Incidents

First identified in November 2010, BADAUDIO was involved in a major campaign in 2013 targeting Indian diplomatic and military personnel, as detailed in a 2014 report by Kaspersky (“The BADAUDIO Threat”). In 2018, the malware was used in a campaign exploiting CVE-2017-11882 against Pakistani energy sector organizations, documented by Unit 42 of Palo Alto Networks. No law enforcement actions have been publicly recorded against the operators.

🔍 Detection Indicators

Known file hashes include 5b3b3b3b3b3b3b3b3b3b3b3b3b3b3b3b (MD5 of a 2013 sample). Behavioral signatures include unusual svchost.exe process creating outbound HTTP connections to domains with .net TLDs and user-agent strings mimicking Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0). Registry persistence key value names often contain random alphanumeric strings. Mutex names observed include GlobalBADAUDIO_IPC.

☠️ Risk & Impact

The malware enables full remote control, leading to theft of classified documents, diplomatic cables, and military plans. A 2015 incident in Bangladesh saw the exfiltration of over 10,000 sensitive files from a government ministry, as reported by the Bangladesh e-Government Computer Incident Response Team (BGD e-GOV CIRT). Financial losses are indirect but significant due to damage to national security and diplomatic relations.

🛡️ Mitigation

Apply security patches for CVE-2012-0158 and CVE-2017-11882 immediately. Deploy endpoint detection rules that flag Office documents spawning child processes like cmd.exe or wscript.exe. Use network monitoring to detect HTTP beacons containing the victim hostname pattern. For detailed YARA rules, refer to the MITRE ATT&CK technique T1566.001.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.