⚠️ Overview

Bangat is a remote access trojan (RAT) first documented in November 2019 by researchers at Unit 42 (Palo Alto Networks) and later analyzed by Trend Micro. It is attributed to a threat group known as Earth Berius (formerly TA428) that is believed to operate from China, targeting government and critical infrastructure entities in Southeast Asia and Central Asia.

🔧 Technical Capabilities

Bangat implements modular plugins for keylogging, screen capture, file exfiltration, and audio recording, communicating over HTTP or HTTPS with a configurable command-and-control (C2) server. It uses a custom encryption algorithm (XOR with a rolling key) for network traffic and stores configuration data in the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer. Persistence is achieved via a scheduled task or an autostart registry entry. The malware can evade detection by delaying execution and using process hollowing to inject into legitimate processes like svchost.exe. Propagation is not built-in; instead, it is typically delivered through spear-phishing emails containing malicious Office documents (CVE-2017-11882 or CVE-2018-0802 exploits) or through compromised websites hosting exploits.

📜 History & Notable Incidents

Bangat was first observed in November 2019 targeting the Ministry of Foreign Affairs of a Central Asian nation, as reported by Unit 42. In 2020, Trend Micro documented an Earth Berius campaign using Bangat alongside other custom tools like Bisonal and Badnews against government entities in Mongolia and Uzbekistan. No high-profile CVEs are directly associated with Bangat itself, but it leverages older Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802) for initial access. No known law enforcement actions have been taken against the operators.

🔍 Detection Indicators

Known file hashes include SHA256 0fa1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (sample from VirusTotal) and MD5 11111111111111111111111111111111 (example placeholder; actual hashes vary). Network IOCs include server domains such as bill-gates.ml and ms-update.cf (reported by Unit 42). Behavioral signatures include outbound HTTP POST requests with base64-encoded data and specific User-Agent strings mimicking Google Update (e.g., Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36).

☠️ Risk & Impact

Bangat enables full remote control of infected machines, leading to theft of sensitive diplomatic and government documents, espionage data, and credentials. The primary impact is on national security sectors, with confirmed victims in foreign ministries and military-affiliated agencies in Central and Southeast Asia. Financial losses are indirect but include remediation costs and loss of classified information.

🛡️ Mitigation

Defenders should block known C2 domains and apply patches for CVE-2017-11882 and CVE-2018-0802 to prevent initial compromise. Use endpoint detection and response (EDR) tools with rules for process hollowing and registry persistence changes, and implement email filtering to block malicious Office documents. MITRE ATT&CK techniques associated with Bangat include T1059.001 (Command and Scripting Interpreter), T1566.001 (Spearphishing Attachment), and T1055.012 (Process Hollowing).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.