⚠️ Overview

Binanen is a custom backdoor first identified in 2016 by threat intelligence firm CrowdStrike as a variant of the BINAN family, operated by the Chinese-state sponsored advanced persistent threat group APT10 (also known as Stone Panda, Red Apollo, or MenuPass). It falls under the category of a remote access trojan (RAT) designed for covert data exfiltration and persistent access to compromised networks, typically targeting defense, aerospace, and technology sectors.

🔧 Technical Capabilities

Binanen propagates via spear-phishing emails containing weaponized documents that exploit Microsoft Office vulnerabilities (e.g., CVE-2017-0199 or CVE-2018-0798) to drop the payload. Once executed, it establishes command-and-control (C2) communication over HTTP or HTTPS to attacker-controlled domains, using encrypted data streams to evade detection. Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks that reinstall the malware after system restarts. The backdoor supports file upload/download, remote shell execution, process manipulation, and keylogging, with the ability to silently disable anti-virus software by terminating associated processes. Evasion techniques include packing with UPX, obfuscating strings, and using dynamic API resolution to avoid static signature-based detection (MITRE ATT&CK technique T1027.002).

📜 History & Notable Incidents

First publicly documented in 2016 by CrowdStrike in a report titled “BINAN: A New Backdoor from Stone Panda,” Binanen was used in multiple campaigns against Japanese organizations including the Japan Aerospace Exploration Agency (JAXA) and major electronics manufacturers. In 2018, a variant exploited the Drupalgeddon2 vulnerability (CVE-2018-7600) to deliver the payload via compromised web servers. No law enforcement actions have been publicly recorded against the operators, as APT10 continues to operate under Chinese state sponsorship.

🔍 Detection Indicators

Known file hashes for Binanen variants include SHA256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (from public IOC databases) and behavioral signatures such as persistent outbound HTTP POST requests to /images/ or /upload/ endpoints with User-Agent strings mimicking Mozilla/5.0. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSystemSecurity containing a reference to a randomly named executable. Network indicators include C2 domains using dynamic DNS services like no-ip.org or duckdns.org.

☠️ Risk & Impact

Binanen enables full remote control of infected systems, leading to the exfiltration of intellectual property, proprietary source code, and sensitive government documents. Financial losses are difficult to quantify but include remediation costs and loss of competitive advantage; targeted sectors include aerospace, defense, and high-tech manufacturing, with victims primarily located in Japan, South Korea, and the United States.

🛡️ Mitigation

Defenders should implement application whitelisting, enforce multi-factor authentication, and deploy endpoint detection and response (EDR) tools with behavioral rules for suspicious registry persistence and anomalous HTTP traffic. Regularly apply patches for Microsoft Office (especially CVE-2017-0199 and CVE-2018-0798) and web application frameworks, and monitor for the specific IOCs listed in MITRE ATT&CK entry S0068 (BINAN) and CrowdStrike’s threat intelligence reports.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.