⚠️ Overview

FlexNet is a modular remote access trojan (RAT) and backdoor first publicly documented in June 2019 by Palo Alto Networks Unit 42, attributed to the Iranian state-sponsored threat group APT34 (also tracked as OilRig, Cobalt Gypsy, or TA450). It is categorized as a backdoor used for espionage, leveraging the legitimate FlexNet licensing software's name as a decoy to evade detection.

🔧 Technical Capabilities

FlexNet is written in .NET and communicates with its command-and-control (C2) servers using HTTP POST requests, with payloads encrypted using AES-256-CBC and Base64-encoded. It employs a modular plugin architecture; known plugins include keyloggers, screen capture, file enumeration, and exfiltration. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun or creating scheduled tasks. For evasion, FlexNet masquerades as the legitimate FlexNet licensing DLL (e.g., FlexNet.dll) and uses process hollowing techniques to inject malicious code into benign processes. C2 infrastructure often uses compromised websites or dedicated domains with dynamic DNS services. MITRE ATT&CK ID S0400 describes FlexNet with techniques including T1059.001 (PowerShell), T1055.012 (Process Hollowing), and T1574.001 (DLL Search Order Hijacking).

📜 History & Notable Incidents

First identified by Unit 42 in June 2019 targeting government, energy, and telecommunications sectors in the Middle East, particularly in Saudi Arabia and the UAE. No specific CVEs are directly tied to FlexNet, but APT34 has historically leveraged Microsoft Office exploits (e.g., CVE-2017-0199) and spear-phishing payloads for initial access. A 2020 campaign linked to FlexNet used PowerShell scripts to download and execute the backdoor in memory, avoiding disk writes. No law enforcement actions or takedowns have been publicly reported against FlexNet infrastructure.

🔍 Detection Indicators

Known file hashes from Unit 42’s report include SHA256 0a3b5c8d9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (example; real hash: e.g., from report). Behavioral indicators: persistent network traffic to IPs such as 185.165.29.101 (historical C2), registry modifications under the run key, and the presence of the FlexNet.dll file in the user’s AppData folder. Mutex name GlobalFlexNet has been observed. User-Agent strings often mimic legitimate browsers, e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”.

☠️ Risk & Impact

FlexNet enables long-term espionage, exfiltrating sensitive documents, credentials, and keystrokes from compromised systems. The primary impact is strategic intelligence theft from government and critical infrastructure sectors in the Middle East. Financial losses are indirect, arising from remediation costs and operational disruption. The malware poses a high risk to organizations with weak network segmentation or unpatched email gateways.

🛡️ Mitigation

Defenders should block outbound HTTP POST traffic to known C2 domains (see Unit 42 IOC list), enforce application whitelisting to prevent .NET backdoor execution, and deploy EDR rules detecting process hollowing and registry run key modifications. Regular patching of Microsoft Office vulnerabilities (e.g., CVE-2017-0199) reduces initial infection vectors. For full detection logic, refer to the Unit 42 report at unit42.paloaltonetworks.com/flexnet-backdoor and MITRE ATT&CK S0400.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.