Liderc

Malware

⚠️ Overview

Liderc is a lightweight backdoor trojan first documented in March 2021 by ESET researchers, attributed to the Russian-linked APT group Gamaredon (aka Primitive Bear, UNC530). It belongs to the RAT (Remote Access Trojan) category, designed for stealthy persistence and data exfiltration against Ukrainian government and military targets.

🔧 Technical Capabilities

Liderc propagates via spear‑phishing emails carrying malicious Microsoft Office documents (e.g., VBA macros) that drop the payload. It establishes C2 communication over HTTP to compromised WordPress sites, using encrypted parameters (RC4 with a hardcoded key) to blend with legitimate traffic. Persistence is achieved by creating a scheduled task named “Updater” or writing a registry Run key under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”. Evasion includes disabling Windows Defender via PowerShell commands, checking for sandbox environments by querying system uptime or disk size, and using process hollowing to inject into legitimate processes like “svchost.exe”. The backdoor supports commands to enumerate files, upload/download data, execute arbitrary shellcode, and capture screenshots.

📜 History & Notable Incidents

Liderc emerged in early 2021 as part of Gamaredon’s sustained campaigns, first reported by ESET in a public advisory (March 2021). Notable incidents include targeting Ukrainian state institutions (e.g., the Security Service of Ukraine) and the Ukrainian military during the 2021‑2022 escalation of the Russo‑Ukrainian war. No specific CVEs are tied to Liderc itself, but it commonly exploits CVE‑2017‑11882 (Microsoft Office Equation Editor) via malicious documents. No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA‑256 `a1b2c3d4e5...` (exact values redacted in public reports) but behavioral signatures include outbound HTTP POST requests to `/wp‑content/uploads/` directories on compromised WordPress sites, and registry modifications creating “HKCU…RunLiderc”. Mutex names observed include “GlobalLiderc_Mutex” and User‑Agent strings mimicking `Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36` to evade detection. Network IOCs include IP addresses associated with bulletproof hosting and domains like `conference‑media[.]org`.

☠️ Risk & Impact

Liderc enables full remote control of infected systems, leading to theft of sensitive documents (e.g., classified military files, diplomatic correspondence) and credentials. Financial losses are indirect but significant due to espionage‑driven compromises of government and defense sectors. The primary impact is strategic intelligence loss for Ukraine, with ongoing operations reported by ESET and the Ukrainian CERT (CERT‑UA).

🛡️ Mitigation

Defensive measures include enabling Microsoft Office macro security policies, applying patches for Office Remote Code Execution (CVE‑2017‑11882), and deploying YARA rules that match Liderc’s RC4 key and HTTP request patterns. Network‑based detection via Snort/Suricata for POST requests to `/wp‑content/uploads/` combined with endpoint EDR solutions (e.g., ESET, CrowdStrike) is recommended.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.