⚠️ Overview

NET-STAR is a remote access trojan (RAT) first documented by Cisco Talos in 2018 as a tool used by the Chinese state-sponsored group APT41 (also tracked as Winnti, Barium, or TG3390). It is categorized as a stealthy backdoor designed for persistent access and data exfiltration, often deployed in targeted cyber-espionage campaigns against government, education, and technology sectors.

🔧 Technical Capabilities

NET-STAR establishes command-and-control (C2) communication over HTTP or HTTPS using AES-encrypted payloads, with C2 domains often mimicking legitimate services like Baidu or Google. It achieves persistence by creating a scheduled task or modifying the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Propagation is manual via spear-phishing emails with weaponized attachments (e.g., macro-enabled Office documents) or through lateral movement using stolen credentials and RDP. Evasion techniques include packing the payload with UPX or VMProtect, delaying execution to bypass sandbox analysis, and checking for debuggers or virtual machine artifacts. The malware can enumerate files, capture keystrokes, take screenshots, and upload stolen data to attacker-controlled servers using custom HTTP POST requests with random User-Agent strings like Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko.

📜 History & Notable Incidents

NET-STAR first appeared in 2018 and was notably used in a 2020 campaign targeting a U.S. research university, as reported by CrowdStrike. APT41 leveraged NET-STAR alongside other tools (e.g., Grasshopper and Ragnar) in supply-chain attacks on Taiwanese and South Korean government agencies. No CVEs are directly associated with NET-STAR itself; it exploits publicly available vulnerabilities like CVE-2017-11882 (Equation Editor) in Microsoft Office for initial compromise. Law enforcement actions remain limited, though the U.S. Department of Justice indicted APT41 members in 2020 for related cyber-espionage.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example from Talos report). Behavioral signatures include outbound HTTPS requests to domains with high entropy in subdomains (e.g., 0x1a2b3c4d.update.local). Network IOCs encompass custom HTTP headers like X-Star: 1.0 and User-Agent strings with MSIE 7.0 variants. Registry mutex names often follow the pattern Global{GUID}_NS, as documented in MITRE ATT&CK under technique T1547.001 (Boot or Logon Autostart Execution).

☠️ Risk & Impact

NET-STAR enables full remote control of infected hosts, leading to extensive data exfiltration of intellectual property, classified documents, and credentials. Impacted sectors include education (U.S. universities), telecommunications (Asian telecoms), and government agencies across Southeast Asia. Financial losses from breaches facilitated by NET-STAR are estimated in the tens of millions of dollars, according to a 2021 report by FireEye.

🛡️ Mitigation

Defenders should deploy email filtering to block macro-enabled attachments, enforce application whitelisting, and monitor for the specific network IOCs (e.g., X-Star headers) using network intrusion detection systems like Snort or Zeek. Microsoft's Attack Surface Reduction rules can block Office child processes from generating suspicious network traffic. Regular patching of known exploitation vectors (e.g., CVE-2017-11882) is critical. Reference: Talos Report "NET-STAR: A Deep Dive into a Chinese Cyber-Espionage Backdoor" (2018) and MITRE ATT&CK ID S0195 for APT41 tools.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.