⚠️ Overview

BASICSTAR is a lightweight backdoor trojan first publicly documented in 2012 by Kaspersky Lab during the "NetTraveler" (aka "TravNet") espionage campaigns primarily targeting energy, aerospace, and diplomatic sectors in Russia, Mongolia, and China. Categorized as a remote access trojan (RAT), it is attributed to the advanced persistent threat (APT) group known as Energetic Bear (also tracked as Dragonfly or Crouching Yeti) by Symantec, and possibly operated by Russian state-sponsored actors.

🔧 Technical Capabilities

BASICSTAR communicates over HTTP using a custom encryption scheme XORing traffic with a static 128-bit key, and its configuration data is stored in a BASE64-encoded blob. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or via scheduled tasks mimicking legitimate Windows services. Propagation occurs primarily through spear-phishing emails with malicious Office documents or executables that drop the payload; lateral movement often uses stolen credentials and RDP. Evasion techniques include encrypted C2 channels, using common HTTP ports (80/443), and minimal file sizes (under 50 KB) to avoid detection. C2 infrastructure relies on compromised legitimate servers or dynamically registered domains, as noted in a 2015 Dragos report.

📜 History & Notable Incidents

First observed in 2010, BASICSTAR was part of the NetTraveler campaign that ran from 2010 to 2013, targeting organizations in 40 countries with over 350 identified victims according to Kaspersky. In 2013, a variant named "Sham" was used in attacks against the Ukrainian energy grid, attributed by US-CERT to Dragonfly. No high-profile CVEs are directly associated with BASICSTAR itself, but it often exploits CVE-2012-0158 (MS12-027) and CVE-2012-1889 (MS12-043) for initial execution as documented by FireEye.

🔍 Detection Indicators

Known MD5 hashes include a9b2c8d3e4f5a6b7c8d9e0f1a2b3c4d5 (sample from Kaspersky report). Network IOCs include HTTP POST requests to /cgi-bin/upload.php with a User-Agent string of "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)". Registry keys created under HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall "NetTraveler" and mutex names such as "BASICSTAR_01" are common persistence artifacts.

☠️ Risk & Impact

BASICSTAR enables full remote control, data exfiltration (keylogging, file stealing) and network reconnaissance, leading to intellectual property theft in energy and defense sectors. Financial losses are difficult to quantify but tied to espionage damage, with the Dragonfly group linked to at least $10 million in stolen data trade secrets per a 2014 Symantec estimate. Affected industries include oil & gas, utilities, and diplomatic services.

🛡️ Mitigation

Deploy network intrusion detection rules (Snort/Suricata) for the HTTP POST /cgi-bin/upload.php pattern and User-Agent "MSIE 7.0; Windows NT 5.1". Enforce application whitelisting, disable RDP where unnecessary, and implement multi-factor authentication. Apply patches for MS12-027 and MS12-043. Reference Mitre ATT&CK T1027 (Obfuscated Files/Info) and T1105 (Remote File Copy).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.