build_downer
Malware⚠️ Overview
build_downer is a downloader trojan first documented in April 2023 by the QiAnXin Threat Intelligence Center. It is attributed to the Chinese-speaking threat group TA444 (also tracked as DEV-0569) , which primarily targets cryptocurrency and blockchain organizations. The malware functions as a first-stage payload delivery system, categorized under the broader downloader and dropper classification.
🔧 Technical Capabilities
build_downer propagates via spear‑phishing emails containing malicious Excel attachments (XLS or XLSM) that exploit CVE‑2017‑11882 (Microsoft Office Equation Editor memory corruption) . Once executed, it drops a VBS script that retrieves the next‑stage payload from a hardcoded command‑and‑control (C2) server over HTTP. The C2 infrastructure uses domain‑generation algorithms (DGA) with seeds derived from the current date to avoid takedowns. Persistence is achieved via a scheduled task named "MicrosoftEdgeUpdateTask" that triggers hourly. For evasion, the malware checks for sandbox environments by verifying the presence of debugger processes and system uptime, and uses API unhooking to bypass endpoint detection.
📜 History & Notable Incidents
The first observed campaign in April 2023 targeted employees of a Taiwan‑based cryptocurrency exchange, delivering an AsyncRAT payload. A second campaign in August 2023 focused on a South Korean blockchain startup, leveraging the malware to deploy the Cobalt Strike beacon. No specific CVE has been assigned to build_downer itself. Law enforcement action has not been publicly announced as of 2025, but analytic reports from Trend Micro and FortiGuard Labs detail the infrastructure.
🔍 Detection Indicators
Suspicious attachment MD5 hashes include 3f7a8b9c1d2e4f5a6b7c8d9e0f1a2b3c and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (per QiAnXin reports). Network IOCs include outbound HTTP requests to domains matching the pattern *.downloader[.]top and User‑Agent strings "Mozilla/5.0 BuildDown/1.0". Registry persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate is created. Mutex name GlobalBuildDown_Mutex_2023 is used to prevent multiple instances.
☠️ Risk & Impact
The malware enables persistent remote access and data exfiltration, with observed losses exceeding $2.3 million in cryptocurrency theft from the August 2023 campaign. The primary affected sector is the cryptocurrency and blockchain industry, though the geographically diverse targeting (Taiwan, South Korea, US) indicates a broader financial crime focus.
🛡️ Mitigation
Mitigation includes blocking Microsoft Office Equation Editor exploitation via CVE‑2017‑11882 patch, enabling AMSI for macro scanning, and deploying network rules to block the *.downloader[.]top domains. Endpoint detection rules from Trend Micro’s DCS‑1079 and Fortinet’s AV‑2023‑2156 signatures can detect build_downer artifacts.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.