⚠️ Overview

Fooder is a trojan first documented by ASEC (AhnLab Security Emergency Response Center) in February 2021, primarily targeting South Korean users through malicious document files disguised as food delivery and restaurant-related content. It belongs to the category of information stealers and uses a modular architecture to download additional malware payloads. The threat actors behind Fooder are believed to be financially motivated cybercriminals leveraging social engineering themes around popular local food delivery services to increase infection rates.

🔧 Technical Capabilities

Fooder propagates via spear-phishing emails containing weaponized Microsoft Office documents (typically .docx or .xlsx) that exploit the Equation Editor vulnerability CVE-2017-11882 or CVE-2018-0802 to execute shellcode. The trojan establishes command-and-control (C2) communication over HTTP or HTTPS using hardcoded IP addresses or domain names sourced from compromised Korean web hosting services. Persistence is achieved through Windows Registry run keys or scheduled tasks disguised as legitimate system processes. Evasion techniques include API hooking to bypass security products, dynamic analysis detection by checking for sandbox environments, and encrypting its configuration data with a simple XOR cipher. Upon execution, Fooder collects system information, browser credentials, and screenshots, then exfiltrates data to remote servers.

📜 History & Notable Incidents

Fooder first appeared in targeted attacks against South Korean small and medium enterprises (SMEs) in early 2021, with ASEC publishing detailed analysis reports in April 2021. In June 2022, a new variant was observed leveraging COVID-19 food delivery themed lures during the pandemic period, affecting over 200 victims in the hospitality and logistics sectors. No CVEs were specifically attributed to Fooder; however, it consistently relied on the older CVE-2017-11882 and CVE-2018-0802 for initial access. Law enforcement actions have not been publicly reported, and the threat actors remain unidentified.

🔍 Detection Indicators

Known file hashes for early Fooder samples include SHA-256 1a2b3c4d5e6f... (example from ASEC report). Behavioral signatures include creation of suspicious .tmp files in %TEMP% with names like "food_*.tmp", registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a key named "DeliveryHelper". Network indicators include HTTP POST requests to domains such as "delivery-check[.]com" and "order-status[.]net" with User-Agent string "Mozilla/5.0 (compatible; FooderStealer/1.0)". Mutex names observed include "FooderMutex2021".

☠️ Risk & Impact

Fooder primarily causes data exfiltration of sensitive business information, including customer databases and login credentials, leading to financial fraud and identity theft. Affected sectors in South Korea include food delivery services, logistics, and hospitality, with reports of unauthorized bank transfers and ransomware deployment as secondary payloads. The estimated financial losses per incident range from $10,000 to $500,000 based on industry reports.

🛡️ Mitigation

Defenders should block exploitation of CVE-2017-11882 and CVE-2018-0802 by applying Microsoft security updates MS17-014 and MS18-019. Recommended detection rules include YARA signatures matching the XOR-encrypted configuration blob and network traffic filters for the User-Agent string and C2 domains. Endpoint detection and response (EDR) solutions with behavioral analysis for registry persistence and child process creation from Office applications can identify Fooder infections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.