⚠️ Overview

Comnie is a remote access trojan (RAT) first documented by Trend Micro in 2019 during an investigation into targeted attacks against Japanese manufacturing and technology organizations. The malware is attributed to a Chinese-speaking threat actor tracked as Red Echo (also known as APT41) and functions as a lightweight backdoor enabling persistent remote control over infected systems. Its primary purpose is intelligence gathering and data exfiltration, placing it in the category of espionage-oriented RATs.

🔧 Technical Capabilities

Comnie propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability) to drop the initial payload. Once executed, the malware establishes persistence by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It uses HTTP‑based command‑and‑control (C2) communication with RC4‑encrypted payloads to evade signature‑based detection. The backdoor supports file upload/download, command execution, and environment reconnaissance (user name, OS version, logged keystrokes). Evasion techniques include checking for sandbox artifacts (e.g., presence of vmware or vbox processes) and delaying execution to bypass dynamic analysis. Comnie also employs DLL side‑loading via legitimate signed binaries (e.g., Msiexec.exe) to conceal its presence.

📜 History & Notable Incidents

Comnie first surfaced in mid‑2018, with early samples reported by Trend Micro in March 2019 as part of a campaign targeting Japanese entities in the automotive and semiconductor sectors. The malware was later linked to the broader APT41 activity cluster, which in 2020 was formally indicted by the U.S. Department of Justice for cyber‑espionage against over 100 companies worldwide. No Common Vulnerabilities and Exposures (CVEs) have been exclusively assigned to Comnie, but it leverages CVE‑2017‑11882 and CVE‑2018‑15982 (Flash Player) in its delivery chain. Law enforcement actions against APT41 have not directly disrupted Comnie operations, as the group remains active.

🔍 Detection Indicators

Known file hashes include SHA‑256 5e2a2c3c4b6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f (from Trend Micro’s analysis). Behavioral signatures include the creation of scheduled tasks named UpdateCheck or MicrosoftHealthService, and outbound HTTP POST requests to C2 domains using URI patterns such as /images/upload.php. Network indicators include User‑Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 and the use of port 80 or 443 for C2 traffic. Registry mutex names observed include ComnieMutex_001.

☠️ Risk & Impact

Comnie’s primary impact is the exfiltration of proprietary technical documents, intellectual property, and employee credentials, leading to competitive disadvantage and reputational damage. Targeted sectors include manufacturing, technology, and defense industries in East Asia. Financial losses from IP theft and operational disruption have been estimated in the tens of millions of dollars for affected organizations, though no public breach cost figures are available.

🛡️ Mitigation

Defenders should apply security patches for CVE‑2017‑11882 and CVE‑2018‑15982, block executable email attachments, and enable network‑based detection rules for URIs containing /images/upload.php with suspicious POST payloads. Endpoint detection and response (EDR) tools can monitor for the creation of the UpdateCheck scheduled task and the ComnieMutex_001 mutex.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.