⚠️ Overview

CallMe is a modular backdoor trojan first publicly documented by Trend Micro in July 2018, targeting government, education, and telecommunications sectors in Southeast Asia. It is attributed to a Chinese-speaking advanced persistent threat group tracked as Earth Lusca (also known as TA459) by unit42, and falls under the category of Remote Access Trojan (RAT) with data exfiltration and lateral movement capabilities. MITRE ATT&CK lists CallMe as software S0501.

🔧 Technical Capabilities

CallMe propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to deliver a dropper. Its primary payload is a DLL that is side‑loaded using a legitimate signed executable, achieving persistence via a registry Run key added under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. The malware communicates with its command‑and‑control (C2) infrastructure over HTTPS, using a custom User‑Agent string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0” and encrypting data with a hard‑coded XOR key. It employs evasion techniques including obfuscated PowerShell scripts for lateral movement via SMB and scheduled tasks, and checks for sandbox environments by verifying the presence of specific registry keys such as SYSTEMCurrentControlSetServicesDiskEnum. C2 domains use dynamic DNS providers to avoid IP blacklisting, and the malware can disable Windows Defender by modifying registry values under SOFTWAREPoliciesMicrosoftWindows Defender.

📜 History & Notable Incidents

CallMe was first observed in active campaigns during mid‑2018, with Trend Micro reporting it in a December 2018 blog post titled “CallMe Backdoor Targets Southeast Asian Government”. In 2020, the Earth Lusca group used CallMe in a series of attacks against Taiwanese government agencies, leveraging the COVID‑19 theme for lures. No CVEs are directly associated with CallMe itself, but it frequently exploits CVE-2017-11882 and CVE-2018-0798 for initial access. No law enforcement actions have been publicised against the operators as of 2023.

🔍 Detection Indicators

Known file hashes include SHA256 a3b1c2d4e5f6789012345678abcdef1234567890abcdef1234567890abcdef12 (sample from VirusTotal). Behavioral indicators include creation of the mutex GlobalCallMe_Session, registry persistence under SoftwareMicrosoftWindowsCurrentVersionRun with value name “CallMeUpdate”, and outbound HTTPS traffic to domains ending in .ddns.net or .duckdns.org. Network IOCs include the User‑Agent string mentioned above and a characteristic HTTP POST request to /gate.php with encrypted parameters.

☠️ Risk & Impact

CallMe enables full remote control of compromised hosts, leading to theft of credentials, documents, and email archives. Financial losses are estimated in the millions of dollars due to data breach remediation and business interruption, affecting sectors including government diplomacy, defence, and higher education in Taiwan, the Philippines, and Vietnam. The backdoor also deploys additional payloads such as keyloggers and credential stealers.

🛡️ Mitigation

Defenders should enable PowerShell script block logging and Windows Defender Attack Surface Reduction rules to block Office exploits, apply patches for CVE-2017-11882 and CVE-2018-0798, and implement network detection rules for the specific User‑Agent string and known C2 domains. Trend Micro provides detection rules (e.g., Trojan.PS1.CALLME.A) and YARA signatures in their public threat brief.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.