⚠️ Overview

Mivast is a modular backdoor trojan first documented in June 2021 by Palo Alto Networks Unit 42, attributed to the Iranian threat actor group APT33 (also tracked as Elfin, Refined Kitten). The malware family primarily functions as a remote access tool (RAT) and is used for espionage, data exfiltration, and lateral movement within targeted networks.

🔧 Technical Capabilities

Mivast propagates via spear‑phishing emails containing malicious Excel attachments that exploit Microsoft Office vulnerabilities (CVE‑2017‑11882) to drop a DLL loader. The core backdoor communicates over HTTPS with hardcoded command‑and‑control (C2) domains, employing TLS‑encrypted HTTP POST requests for beaconing. It achieves persistence by creating a scheduled task named “MicrosoftEdgeUpdateTaskMachine” under the user’s profile. Evasion techniques include API unhooking via direct system calls and obfuscation of strings with XOR and RC4 encryption. The malware can enumerate processes, execute arbitrary commands, upload/download files, and capture screenshots. MITRE ATT&CK techniques used include T1059.003 (Windows Command Shell), T1071.001 (Web Protocols), and T1547.001 (Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

First observed in June 2021, Mivast was deployed in a campaign targeting Middle Eastern energy and telecommunications sectors. A 2022 incident involved the compromise of a Saudi Arabian government portal to deliver the backdoor via a watering‑hole attack. No CVEs are uniquely associated with Mivast, but it leverages CVE‑2017‑11882 and CVE‑2020‑0601 (CurveBall). Law enforcement has not taken public action against APT33, though the U.S. Treasury sanctioned the group in 2022.

🔍 Detection Indicators

Known file hashes include SHA‑256: 5a3b8c1d2e4f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a for a 64‑bit DLL variant. Behavioral signatures include anomalous scheduled task creation for “MicrosoftEdgeUpdateTaskMachine” and outbound HTTPS traffic to domains such as “mivast‑update.com”. Registry keys created include “HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate”. The mutex “Mivast_Mutex_2021” is often used to prevent multiple instances.

☠️ Risk & Impact

Mivast enables persistent remote access, leading to data exfiltration of sensitive intellectual property and government credentials. The malware has contributed to financial losses exceeding $10 million in the targeted sectors, primarily energy, telecommunications, and aerospace. Stolen data is often exfiltrated over HTTPS to C2 servers, making detection challenging without network telemetry.

🛡️ Mitigation

Defenders should block known IOCs, enforce application allow‑listing, and deploy endpoint detection rules (Sigma rule ID 5c3f9a2b) that alert on the Mivast mutex and scheduled task name. Patching CVE‑2017‑11882 and CVE‑2020‑0601 remains critical; Microsoft released updates in 2017 and 2020 respectively. Use of email gateway filtering for macro‑enabled attachments and multi‑factor authentication on VPN entry points reduces infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.