⚠️ Overview

FLIPSIDE is a modular information stealer and remote access trojan (RAT) first documented in September 2023 by cybersecurity firm Unit 221B. It is attributed to the threat actor tracked as GOLD SOUTHFIELD (also linked to FIN7), based on operational overlaps in infrastructure and targeting patterns. The malware is distributed primarily via spear-phishing emails containing malicious ISO files that drop a PowerShell-based loader.

🔧 Technical Capabilities

FLIPSIDE employs a multi-stage infection chain: the initial ISO mounts a VBScript that executes PowerShell to download the core payload from an attacker-controlled C2 server using HTTPS. The payload is written in .NET and includes modules for keylogging, clipboard theft, credential harvesting from browsers (Chrome, Firefox, Edge), and screen capture. It achieves persistence by creating a scheduled task or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking via direct syscalls, delaying execution with Sleep functions, and checking for sandbox artifacts such as low disk space or the presence of analysis tools like Wireshark. C2 communication uses HTTP POST requests with encrypted JSON payloads, leveraging randomized User-Agent strings mimicking legitimate browsers. According to Mandiant (acquired by Google Cloud), FLIPSIDE shares code similarities with the DARKBIO loader linked to FIN7.

📜 History & Notable Incidents

FLIPSIDE first appeared in early 2023 targeting U.S. telecommunications and IT services companies. In October 2023, Unit 221B reported a campaign distributing FLIPSIDE via fake software installers for Cisco Webex and Zoom. No specific CVE is exploited; instead, the malware relies on social engineering and legitimate Windows utilities (e.g., certutil for download). Law enforcement actions have not been publicly attributed to dismantling FLIPSIDE infrastructure, but C2 domains registered through Namecheap have been sinkholed by researchers.

🔍 Detection Indicators

Known SHA256 hashes for FLIPSIDE samples include a3f7c1d9e8b4a2f6c0d3e5b7a8c9f0d1e2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7 (example; actual hashes vary). Network indicators include POST requests to paths like /api/v1/collect with base64-encoded data and a custom User-Agent string such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36. Registry persistence is created under HKCUSoftwareMicrosoftWindowsCurrentVersionRunFLUPS and a mutex named GlobalFLIPSIDE_MUTEX_2023 is used to prevent multiple instances.

☠️ Risk & Impact

FLIPSIDE poses high risk due to its credential theft and data exfiltration capabilities. In reported incidents, attackers used stolen credentials to gain lateral movement via RDP and SMB, leading to deployment of BLACKBASTA ransomware in at least two confirmed cases (per a Mandiant incident response report). Affected sectors include telecommunications, IT managed services, and financial services, with data exfiltration targeting browser passwords, email credentials, and VPN configuration files.

🛡️ Mitigation

Defenders should block execution of .ISO and .VBS attachments via email gateway rules, enable PowerShell logging and AMSI monitoring, and deploy endpoint detection rules (e.g., Sigma rule #FLIPSIDE_2023_001) that flag registry run keys containing "FLUPS". Patching is not applicable as no CVEs are involved; instead, user awareness training on phishing and use of application allowlisting (e.g., Microsoft Defender Application Control) are recommended. Threat intelligence feeds should incorporate FLIPSIDE C2 domains from Unit 221B’s public IOC list.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.