Kuaibu
Malware⚠️ Overview
Kuaibu is a remote access trojan (RAT) and backdoor malware first documented in 2017 by Trend Micro. It is attributed to the DragonOK threat group (also tracked as APT17, G0024 by MITRE ATT&CK) and primarily targets government, military, and defense entities in the Asia-Pacific region. Kuaibu belongs to the backdoor category and is used for persistent espionage operations.
🔧 Technical Capabilities
Kuaibu is typically delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-0199 (a vulnerability in Office OLE objects) to download and execute the payload. The malware establishes command-and-control (C2) communication over HTTP, encrypting its traffic using a custom RC4 algorithm with a hardcoded key. It supports keylogging, screen capture, file upload/download, and shell command execution. For persistence, Kuaibu creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscated strings, anti-debugging checks, and environment detection that terminates execution in sandboxes or virtual machines. The backdoor also collects system information such as OS version, hostname, and installed security software.
📜 History & Notable Incidents
Kuaibu first appeared in attacks against Taiwanese government agencies reported by FireEye in 2017. The DragonOK group used Kuaibu in conjunction with other tools like PlugX and Sakula in campaigns targeting Asian defense contractors and think tanks. A notable incident involved the compromise of the Taiwan Ministry of National Defense in 2018. No law enforcement takedowns have been publicly documented as of 2023.
🔍 Detection Indicators
Known SHA256 hashes for Kuaibu samples include 2c9f0b1e... (Trend Micro report). Behavioral indicators include creation of the mutex named KuaibuMutex and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunKuaibu. Network IOCs feature HTTP requests with a distinct User-Agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0) and C2 URLs structured as /images/upload.php.
☠️ Risk & Impact
Kuaibu enables full remote control of infected systems, leading to data exfiltration of classified documents, credentials, and network configurations. The malware has primarily impacted government, military, and defense sectors across Taiwan, Japan, and South Korea, resulting in sustained intellectual property theft and geopolitical espionage.
🛡️ Mitigation
Organizations should apply patches for CVE-2017-0199 and implement email security gateways to block spear-phishing attachments. EDR solutions with behavioral detection rules (e.g., Sigma rule for Kuaibu RC4 C2 traffic) and network segmentation can limit lateral movement. Regular threat hunting for the listed IOCs is recommended.
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.