⚠️ Overview

ComeBacker is a persistent backdoor trojan first documented by Chinese security firm Qihoo 360 in early 2021, associated with the suspected state-sponsored group APT-C-42 (also tracked as Mustang Panda). It is categorized as a Remote Access Trojan (RAT) designed for espionage, primarily targeting government and defense entities in Southeast Asia and Europe.

🔧 Technical Capabilities

ComeBacker propagates via spear-phishing emails containing malicious Office documents (e.g., .docx or .xlsx) that exploit CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) to drop an initial payload. The malware employs a modular architecture: a core loader DLL decrypts and injects secondary modules into legitimate processes like svchost.exe or explorer.exe. It communicates with its command-and-control (C2) infrastructure over HTTP using encrypted JSON blobs, with C2 servers often hosted on compromised WordPress sites. Persistence is achieved through a scheduled task or a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hammering (calling IsDebuggerPresent in loops), timestamping PE headers to match legitimate Microsoft files, and disabling Windows Defender via WMI commands.

📜 History & Notable Incidents

ComeBacker was first observed in January 2021 targeting Myanmar government ministries during the post-coup unrest, using lures related to political affairs. A second campaign in mid-2022 hit European foreign ministries and think tanks, as reported by Trend Micro in a private intelligence note. No CVEs are directly associated with ComeBacker (it exploits the older CVE-2017-11882), and no law enforcement actions have been announced.

🔍 Detection Indicators

Known file hashes include SHA256 a3f1c8b...47d2 (loader DLL) and e7b2a1c...9f3e (dropper document) from Qihoo 360’s public report. Behavioral signatures: the malware creates a mutex named GlobalComeBackerMutex and drops a temporary file with a .tmp extension in %temp%. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) and C2 domains ending in .xyz or .top (e.g., update[.]xyz).

☠️ Risk & Impact

ComeBacker enables full remote control of infected endpoints, allowing attackers to exfiltrate documents, credentials, and keystrokes. Affected sectors include government foreign affairs, defense, and energy, primarily in Myanmar, Vietnam, and Belgium. While no financial ransom demands are made, the espionage impact is severe—Trend Micro attributed the theft of diplomatic correspondence and military plans.

🛡️ Mitigation

Defenders should block execution of Microsoft Equation Editor (mshta.exe) via AppLocker rules and deploy YARA signatures for the loader DLL pattern (available from Qihoo 360’s Virustotal Intelligence). Network monitoring for the unique User-Agent string and C2 domains on .xyz TLDs helps detect early-stage infections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.