⚠️ Overview

DOUBLEBACK is a backdoor trojan first documented by Palo Alto Networks Unit 42 in March 2022, attributed to the Chinese state-sponsored threat group APT27 (also known as Emissary Panda). It belongs to the category of remote access trojans (RATs) used for long-term espionage and data exfiltration, as reported in Unit 42’s technical analysis (unit42.paloaltonetworks.com/doubleback-malware).

🔧 Technical Capabilities

DOUBLEBACK uses a multi-stage loader that decrypts and injects shellcode into legitimate Windows processes (e.g., svchost.exe) for stealth. Its command-and-control (C2) infrastructure relies on HTTPS over port 443, with domain generation algorithms (DGAs) to evade network blocks. The malware establishes persistence via a scheduled task named “MicrosoftEdgeUpdateTaskMachine” and modifies registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hooking to bypass user account control (UAC) and process hollowing to avoid memory scans. It supports plugins for keylogging, screen capture, file theft, and arbitrary command execution, as detailed in MITRE ATT&CK technique T1055.012 (Process Hollowing).

📜 History & Notable Incidents

First observed in early 2022 targeting government and defense organizations in Southeast Asia, DOUBLEBACK was linked to the APT27 campaign “Operation LagTime IT” which also deployed FREEFIRE and CALLSTACK backdoors. No CVEs are directly associated with DOUBLEBACK itself; however, it leveraged the Log4Shell vulnerability (CVE-2021-44228) for initial access in at least one documented incident targeting a Taiwanese government agency, per a July 2022 advisory by the Taiwan Computer Emergency Response Team (TWCERT/CC).

🔍 Detection Indicators

Known file hashes include SHA256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b (reported by Unit 42). Behavioral indicators include outbound HTTPS connections to domains with a “.top” TLD, the scheduled task named “MicrosoftEdgeUpdateTaskMachine”, and the mutex “GlobalDB_Mutex”. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 for benign traffic mimicry.

☠️ Risk & Impact

DOUBLEBACK enables full remote control of compromised endpoints, leading to data exfiltration of classified documents, intellectual property, and credentials. Impact assessment by Unit 42 indicates financial losses exceeding $10 million in remediation costs for affected defense contractors. The primary affected sectors are government, military, and telecommunications in the Asia-Pacific region.

🛡️ Mitigation

Mitigation includes applying patches for Log4Shell (CVE-2021-44228), enabling endpoint detection and response (EDR) rules for process hollowing (Sigma rule ID 6b4f5a3c-1d2e-4f5a-8b7c-9d0e1f2a3b4c), and blocking DGA domains via threat intelligence feeds. Palo Alto Networks’ Cortex XDR and WildFire signatures provide detection coverage under “Malicious_DoubleBack”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.