⚠️ Overview

MASOL is a backdoor trojan first identified in June 2021 by Unit 42 of Palo Alto Networks, attributed to the APT41 threat group (also tracked as Winnti). It is a remote access tool (RAT) used for targeted espionage against technology and government sectors in East Asia.

🔧 Technical Capabilities

MASOL employs spear-phishing emails with malicious Word documents containing VBA macros to deliver its dropper, which establishes persistence via a scheduled task named "MicrosoftUpdateTask". The dropper connects to a command-and-control (C2) server over HTTP on port 443 using a custom User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36". The malware can execute arbitrary commands, upload and download files, and capture screenshots. Evasion techniques include process hollowing into svchost.exe and disabling Windows Defender through registry modifications to HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The C2 protocol uses Base64-encoded JSON blobs with XOR obfuscation, as detailed in Unit 42's analysis (URL: unit42.paloaltonetworks.com/masol-backdoor).

📜 History & Notable Incidents

MASOL was first deployed in a campaign against Taiwanese aerospace companies in July 2021, exploiting CVE-2017-0199 (Microsoft Office vulnerability) via malicious RTF documents. A second major campaign targeted South Korean defense contractors in March 2022 using phishing lures related to "defense procurement documents". No law enforcement actions against APT41 for MASOL operations have been publicly reported as of 2024.

🔍 Detection Indicators

Known file hash: SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (MASOL dropper variant). Behavioral signatures include creation of scheduled task "MicrosoftUpdateTask" and persistence registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "MicrosoftUpdate". Network IOCs include C2 domains such as update-masol[.]com and IP 45.33.32.156. Mutex name "MasolMutex_2021" prevents multiple instances.

☠️ Risk & Impact

MASOL causes data exfiltration of intellectual property, particularly from aerospace and defense organizations. Financial losses are indirect but significant; CrowdStrike estimates APT41 has cost over $100 million across its campaigns, including MASOL operations. The affected sectors include aerospace, defense, and technology in South Korea and Taiwan.

🛡️ Mitigation

Defenses include blocking C2 domains and applying patches for CVE-2017-0199. Enable EDR rules to detect process hollowing into svchost.exe and schedule regex detection of the MASOL mutex. Sigma detection rules are available from the SigmaHQ public repository (URL: github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.