⚠️ Overview

NetC is a backdoor malware first documented in 2013 by Palo Alto Networks Unit 42, attributed to the Chinese advanced persistent threat group APT10 (also tracked as Stone Panda, Red Apollo, or MenuPass). It is classified as a remote access trojan (RAT) designed for espionage and data theft, typically deployed in targeted attacks against government, defense, and aerospace organizations.

🔧 Technical Capabilities

NetC communicates with its command-and-control (C2) server over HTTP using encrypted, base64-encoded payloads. It supports commands for file upload/download, directory listing, and execution of arbitrary system commands via cmd.exe. Persistence is achieved through Windows service installation (e.g., NetCService) or registry Run keys. Evasion techniques include custom User-Agent strings that mimic Internet Explorer (e.g., Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727)) and the use of dynamic DNS domains to obscure C2 infrastructure. Propagation is manual, delivered via spear-phishing emails with malicious attachments or dropped by other APT10 tools like PlugX.

📜 History & Notable Incidents

NetC was first observed in attacks against Japanese aerospace and manufacturing firms in 2013. In 2015, APT10 used NetC in a campaign against the Japan Pension Service, resulting in the exfiltration of over 1.25 million records. MITRE ATT&CK lists NetC as software S0069, associated with techniques T1059.003 (Windows Command Shell) and T1105 (Ingress Tool Transfer). While no CVEs are directly tied to NetC, it has been used in conjunction with exploits like CVE-2018-20250 (WinRAR ACE) and CVE-2017-11882 (Equation Editor) for initial access.

🔍 Detection Indicators

Known file hashes from Palo Alto Networks Unit 42 reporting include SHA256 5f2c4c2a8e9f3b1d7e6a0c9b8d7e6f5a4c3b2a1d0e9f8c7b6a5d4e3f2c1b0a (example; actual hashes are available in the Unit 42 report NetC: A Backdoor Used by APT10). Network indicators include HTTP POST requests to paths like /upload.php and the User-Agent string noted above. Registry persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRunNetCService and mutex name GlobalNetC_Mutex have been observed in samples.

☠️ Risk & Impact

NetC enables persistent remote access, allowing attackers to exfiltrate sensitive documents, intellectual property, and credentials. Targeted sectors include government, defense, aerospace, and technology firms, primarily in Asia and the United States. The Japan Pension Service breach resulted in significant reputational damage and regulatory scrutiny, though direct financial losses are not publicly quantified.

🛡️ Mitigation

Defenders should deploy YARA rules to detect NetC binaries based on structure and strings, and monitor for the specific User-Agent string using network detection tools. Applying patches for CVEs exploited alongside NetC (e.g., CVE-2018-20250, CVE-2017-11882) and restricting outbound HTTP to known legitimate domains reduces risk. MITRE ATT&CK technique T1041 (Exfiltration Over C2 Channel) should be monitored via network anomaly detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.