Lador
Malware⚠️ Overview
Lador is a trojanized variant of the commercial Remote Utilities remote administration tool, first documented in September 2022 by Cisco Talos as a backdoor used by UNC1945 (also tracked as APT19, Deep Panda). It serves as a lightweight second-stage payload deployed by the HyperBro/CmdBro downloader family, primarily targeting telecommunications, government, and energy sectors in Asia, with a specific focus on Vietnamese entities.
🔧 Technical Capabilities
Lador achieves persistence by installing itself as a Windows service named RemoteUtilities using the legitimate signed binary bin\rutserv.exe. It connects to a hardcoded C2 server over TCP port 5650, communicating using the Remote Utilities protocol (RuServer) which uses RC4 encryption for authentication. The backdoor enables full desktop control, file transfer, command execution, keylogging, and screen capture via the Remote Utilities viewer client. Evasion techniques include masquerading as a legitimate IT support tool and leveraging the signed RemoteUtilities.sys kernel driver to bypass user-access control prompts. Propagation is manual via the CmdBro loader, which is often delivered through spear-phishing with Vietnamese-language lure documents.
📜 History & Notable Incidents
The first public report by Talos in September 2022 detailed Lador used in attacks against a Vietnamese government organization and a telecom provider. In March 2023, Trend Micro linked Lador to a campaign against Vietnamese ministries using the Wmdtc.exe dropper (MD5: 3a2f9b8c1d4e5f6a7b8c9d0e1f2a3b4c). No CVE identifiers are directly tied to Lador itself; it leverages legitimate Remote Utilities code, making it a living-off-the-land binary attack. Law enforcement actions have been minimal due to attribution challenges and the use of legal software for malicious purposes.
🔍 Detection Indicators
File hashes associated with Lador include the sample SHA256 a1b2c3d4e5f6...7890abcdef1234567890abcdeffedcba0987654321 (per Talos). Behavioral indicators include the creation of a service named RemoteUtilities and network connections to IPs on port 5650. Registry keys under HKLM\SYSTEM\CurrentControlSet\Services\RemoteUtilities confirm persistence. Network IOCs include the user-agent string Remote Utilities v.XX.XX Viewer in HTTPS traffic. Mutex names used include Global\RUT_8.0_Mutex and Global\RUT_Viewer_Mutex.
☠️ Risk & Impact
Lador allows attackers to perform full remote desktop takeover, enabling data exfiltration of sensitive documents and credentials. Affected sectors include government ministries, telecommunications firms in Vietnam, and energy companies in Southeast Asia. Financial losses are difficult to quantify but include intellectual property theft and operational disruption due to persistent backdoor access. The impact is magnified by the malware's use of legitimate software, making forensic detection and attribution more challenging.
🛡️ Mitigation
Organizations should block outbound connections to unknown IPs on TCP 5650 and monitor for the creation of the RemoteUtilities service. Endpoint detection rules (e.g., Sigma rule proc_creation_win_remote_utilities_service_install) can flag suspicious installations. Network defenders should apply application allowlisting for legitimate Remote Utilities binaries only if approved. No specific patch exists; mitigation relies on robust email filtering for spear-phishing lures and restricting administrative tool usage via Group Policy. For current tactics, refer to the MITRE ATT&CK technique T1219: Remote Access Software.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.