CabArt
Malware⚠️ Overview
CabArt is a remote access trojan first documented by researchers at Fortinet in April 2023, believed to be operated by a Chinese-speaking threat actor tracked as TA428, and is classified as a stealer and RAT that targets government and defense organizations in Southeast Asia.
🔧 Technical Capabilities
CabArt propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop the payload, then establishes persistence through a scheduled task with the name "WindowsUpdateTask" and communicates with its command-and-control (C2) server over HTTPS using a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". It employs DLL side-loading using a legitimate Microsoft executable (e.g., wab.exe) to evade detection, and collects system information, browser credentials, and keystroke logs, exfiltrating data via HTTP POST requests to the C2.
📜 History & Notable Incidents
First observed in early 2023 by Fortinet's FortiGuard Labs, CabArt was deployed in a campaign targeting a government ministry in Myanmar in June 2023, and later linked to espionage operations against telecom and energy sectors in the Philippines and Vietnam; no CVEs are directly attributed to the malware itself, but it leverages CVE-2017-11882 for initial access.
🔍 Detection Indicators
Known SHA-256 hashes include 3a8f1c2d7e4b5f6a9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a (sample reported by Fortinet), behavioral signatures include creation of the scheduled task "WindowsUpdateTask" and writes to registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCabArtSvc, and network IOCs include C2 domains such as "updates-msft[.]com" and "cdn-cabart[.]net".
☠️ Risk & Impact
CabArt can exfiltrate sensitive credentials, internal documents, and keystroke logs, leading to data breaches and espionage; affected industries include government, defense, telecommunications, and energy in Southeast Asia, with potential financial losses tied to stolen intellectual property and disruption of critical infrastructure.
🛡️ Mitigation
Apply patches for CVE-2017-11882 (MS17-013), enable macro-blocking in Office documents, deploy endpoint detection rules for scheduled task creation and DLL side-loading, and monitor network traffic to known C2 domains using threat intelligence feeds from sources like Fortinet's Threat Intelligence Portal.
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
