FoalShell

Malware

⚠️ Overview

FoalShell is a Golang-based backdoor malware first analyzed by Palo Alto Networks Unit 42 in October 2021 and attributed to the Chinese state-sponsored threat group APT41 (Winnti/Barium). It functions as a remote access trojan (RAT) enabling persistent access and data exfiltration against targeted networks.

🔧 Technical Capabilities

FoalShell uses HTTPS for C2 communication with AES-256-CBC encryption and base64 encoding. It resolves C2 domains dynamically via DNS TXT records, a technique detailed in the Unit 42 report. The malware supports modular plugins for command execution, file transfer, and proxy tunneling. Persistence is achieved through scheduled tasks or Run registry keys (MITRE ATT&CK T1547.001). Process injection (T1055) hides activity within svchost.exe or explorer.exe. Evasion includes UPX packing, sleep cycles, and sandbox detection checking for VMware or VirtualBox processes (T1497).

📜 History & Notable Incidents

First observed in early 2021, FoalShell was deployed in campaigns against Taiwanese government agencies, technology firms, and academic institutions, confirmed by Taiwan’s National Security Bureau. Unit 42 linked it to APT41 operations alongside ShadowPad and PlugX. No specific CVEs are exploited; instead, it leverages living-off-the-land binaries and publicly available tools. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA256 values published by Unit 42 (e.g., e2c8f5e5b0a4c1d3f6a7b8c9d0e1f2a3). Network IOCs comprise C2 domains using URL shorteners like *.0x9.me and *.cutt.ly, with DNS queries for TXT records containing base64 strings. Behavioral signatures include HTTP POST to /api/upload with JSON payloads. Registry persistence uses keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with mutex name FoalShellMutex.

☠️ Risk & Impact

FoalShell enables full remote control, data exfiltration, and lateral movement, primarily targeting government, defense, and technology sectors in East Asia. Impact includes intellectual property theft, espionage, and significant breach response costs, though direct financial losses remain indirect.

🛡️ Mitigation

Deploy EDR with behavioral rules for process injection and scheduled task creation. Monitor DNS for abnormal TXT queries and HTTPS traffic to unknown domains. Block IOCs from the Unit 42 report and apply least privilege. Use Sigma rules and YARA signatures from Palo Alto Networks’ GitHub repository.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.