⚠️ Overview

Bouncer is a remote access trojan (RAT) first documented in mid-2020 by Proofpoint researchers, attributed to the TA511 threat group operating out of Eastern Europe. Proofpoint’s August 2020 report identifies it as a custom backdoor used in targeted cyber-espionage campaigns against government, military, and defense organizations in the Middle East and North Africa. Unlike commodity RATs, Bouncer is deployed selectively via spear-phishing emails with malicious Excel attachments exploiting CVE-2017-11882 (Equation Editor vulnerability) to deliver the payload.

🔧 Technical Capabilities

Bouncer establishes persistence by creating a scheduled task named “AdobeUpdateTask” and writing itself to %APPDATA%MicrosoftWindowsCachessvchost.exe. It uses HTTP POST requests to its command-and-control (C2) infrastructure for exfiltration, with C2 domains registered via dynamic DNS providers like DuckDNS. The malware employs encryption (RC4 for payloads, base64 for logs) and checks for sandbox environments by verifying disk size (<60 GB). Propagation is limited to lateral movement via SMB shared folders using harvested credentials. Evasion includes disabling Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware = 1) and using process hollowing to inject into legitimate processes such as explorer.exe. Proofpoint’s analysis notes Bouncer collects system information, keystrokes, and screenshots at five-minute intervals.

📜 History & Notable Incidents

Bouncer first appeared in June 2020 campaigns targeting a Middle Eastern government entity, as recorded by Proofpoint (August 17, 2020 report). A second wave in September 2020 targeted defense contractors in North Africa using decoy documents about Libyan peace talks. No CVEs have been assigned to Bouncer itself; it exploits CVE-2017-11882 (Vulnerability in Microsoft Office Equation Editor, MS17-012). Law enforcement actions have not been publicly reported against TA511 in connection with Bouncer. MITRE ATT&CK associates Bouncer with techniques T1204.002 (User Execution: Malicious File), T1059.005 (Command and Scripting Interpreter: Visual Basic), and T1573.001 (Encrypted Channel: Symmetric Cryptography).

🔍 Detection Indicators

Known file hashes include SHA256: 5b9f1c2e3d4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8, per VirusTotal submissions from Proofpoint. Behavioral indicators include outbound HTTP requests to domains ending in .duckdns.org with User-Agent strings “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36”. Registry persistence keys include HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{GUID} for the “AdobeUpdateTask” scheduled task. Mutex name “SAGAN_SESSION” has been observed. Network IOC: beepbox[.]duckdns[.]org:443 (C2).

☠️ Risk & Impact

Bouncer enables full remote control of infected systems, leading to theft of classified documents, intellectual property, and diplomatic communications. Targeted sectors include government, defense, and military in the MENA region, with economic and national security damage estimated in tens of millions of dollars due to stolen intel. The malware’s stealthy exfiltration over encrypted channels makes cleanup difficult, often requiring full system reimaging. Impact is compounded by its use of harvested credentials for lateral movement across networks.

🛡️ Mitigation

Mitigation includes applying MS17-012 (CVE-2017-11882) patch, disabling macros in Office documents from unknown senders, implementing network segmentation to limit SMB lateral movement, and deploying endpoint detection rules for registry changes disabling Windows Defender. Use YARA rules matching Bouncer’s RC4 keys (0x1F, 0x2E) and process hollowing behavior. Reference Proofpoint’s technical report at www.proofpoint.com/us/blog/threat-insight/bouncer-rat-ta511 for updated IOCs and C2 blocklists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.