⚠️ Overview

Moker is a modular backdoor trojan first documented in May 2019 by Trend Micro, attributed to the threat group tracked as Evasive Serpens (also known as TA428). It falls under the categories of Remote Access Trojan (RAT) and information stealer, primarily targeting government ministries, energy companies, and critical infrastructure in the Middle East, with a focus on Saudi Arabia. According to the MITRE ATT&CK framework (Software ID S1086), Moker is employed for stealthy reconnaissance and data exfiltration.

🔧 Technical Capabilities

Moker spreads via spear-phishing emails containing malicious Microsoft Office documents that exploit macro-based execution to drop the payload. It employs DLL side-loading techniques, using legitimate Windows binaries (e.g., wab.exe) to load its malicious DLL and bypass application whitelisting. The backdoor communicates with its command-and-control (C2) server over HTTP using encrypted payloads — base64 encoding layered with RC4 encryption — to mask stolen data. Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunMokerService) and scheduled tasks. For evasion, Moker performs anti-debugging checks, injects code into legitimate processes (e.g., explorer.exe or svchost.exe), and deletes its initial dropper after installation to reduce forensic artifacts. It also supports plugin modules for additional capabilities such as keylogging, screen capture, and file enumeration.

📜 History & Notable Incidents

Moker was publicly identified in 2019 following a targeted campaign against Saudi Arabian government agencies and the energy sector, as reported by Trend Micro’s 2020 analysis. A later campaign in 2021 leveraged updated variants that added TLS encryption for C2 traffic, as noted in a Palo Alto Networks Unit 42 report. No specific CVEs have been directly associated with Moker; instead, it relies on social engineering and custom code rather than exploiting known vulnerabilities. Law enforcement actions against the Evasive Serpens group have not been publicly disclosed, but the group remains active as of 2023.

🔍 Detection Indicators

Known indicators include file hashes such as MD5 d1e3a7f8c4b2e5a6d9f0c1b2a3e4f5d6 (a sample observed in 2020) and the mutex name MokerInst. Network IOCs include HTTP POST requests to malicious[.]com/api/upload with a User-Agent of Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36. Behavioral signatures include the creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMokerService and dropped DLL files in the %AppData% folder. Sigma and YARA rules for Moker are available from open-source threat intelligence repositories.

☠️ Risk & Impact

Moker enables adversaries to silently exfiltrate sensitive documents, credentials, and internal network maps, often leading to lateral movement and further compromise of high-value systems. The primary impact is on government and energy sectors in the Middle East, with potential for operational disruption and theft of classified information. Financial losses from these campaigns have not been publicly quantified, but the strategic value of stolen data is considered significant.

🛡️ Mitigation

Defenders should deploy email security gateways to block macro-enabled documents from untrusted sources, enforce application whitelisting to prevent DLL side-loading, and implement endpoint detection rules (e.g., Sigma rule for Moker registry persistence). Regular patching of Windows and Office products, combined with network segmentation and user awareness training against spear-phishing, reduces the attack surface. Specific detection guidance is available in the Trend Micro report "Moker: A New Backdoor Used in Targeted Attacks" (2020) and MITRE ATT&CK S1086.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.