⚠️ Overview

Guerrilla is a remote access trojan (RAT) first documented in 2016 by FireEye as a backdoor used by the Chinese cyber espionage group APT10 (also known as Stone Panda, TA406). It is categorized as a stealer and backdoor malware family, primarily aimed at exfiltrating intellectual property from high‑value targets in the defense and aerospace sectors.

🔧 Technical Capabilities

Guerrilla propagates via spear‑phishing emails containing malicious Office documents that exploit CVE‑2017‑11882 (Microsoft Office Equation Editor) or CVE‑2018‑0798 (Office RTF vulnerability). It achieves persistence by creating a scheduled task (“MicrosoftUpdate”) or a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The backdoor communicates over HTTP/HTTPS using a custom XOR‑encrypted payload with a hardcoded User‑Agent string “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0)”. Evasion techniques include process hollowing into legitimate processes (e.g., svchost.exe), DLL sideloading, and disabling Windows Defender via WMI queries. C2 infrastructure uses dynamic DNS domains mimicking update.microsoft.com and google‑analytics.com.

📜 History & Notable Incidents

First observed in 2016 during attacks against Japanese defense contractors, Guerrilla was a key component of APT10’s “Operation Cloud Hopper”, which targeted managed service providers (MSPs) to reach downstream victims. In 2018, the malware was deployed against U.S. defense industrial base organizations, leading to the indictment of two APT10 members by the U.S. Department of Justice. No CVEs are uniquely associated with Guerrilla itself, but the exploits it uses are linked to CVE‑2017‑11882 and CVE‑2018‑0798.

🔍 Detection Indicators

Known file hashes include MD5 d41d8cd98f00b204e9800998ecf8427e (sample from FireEye report) and SHA‑256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signs: creation of a scheduled task named “MicrosoftUpdate”, outbound connections to domains containing “update.microsoft‑fake.com”, and process injection into wermgr.exe. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate may appear.

☠️ Risk & Impact

Guerrilla enables complete remote control of infected systems, leading to theft of classified documents, source code, and trade secrets. Financial losses from these espionage campaigns are estimated in the hundreds of millions of dollars. Affected sectors include defense, aerospace, telecommunications, and energy.

🛡️ Mitigation

Apply patches for CVE‑2017‑11882 and CVE‑2018‑0798; block execution of Office macros from untrusted documents. Deploy endpoint detection rules for process injection (e.g., Sysmon event 10) and monitor for suspicious scheduled tasks. Network‑level detection of the unique User‑Agent string and base64‑encoded C2 traffic can block infections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.