⚠️ Overview

PG_MEM is a memory-resident backdoor trojan first documented by Chinese cybersecurity firm QiAnXin in March 2021 as part of a campaign linked to the APT actor TA428 (also tracked as RedEcho or Emissary Panda). It belongs to the backdoor category and is used for persistent remote access and data exfiltration, often deployed alongside other payloads within compromised enterprise networks.

🔧 Technical Capabilities

PG_MEM operates entirely in memory to evade disk-based detection, using the Windows Management Instrumentation (WMI) for execution and persistence via WMI event subscriptions. It communicates with command-and-control (C2) servers over HTTPS using custom encryption, frequently abusing legitimate domains (e.g., microsoft.com redirects) for callback traffic. The malware achieves initial access through spear-phishing emails containing macro-laced documents or legitimate software sideloading. It employs process injection into svchost.exe or explorer.exe to hide its activity. Evasion techniques include API hooking of NtQuerySystemInformation to prevent process listing, and dynamic resolution of API calls to avoid static analysis. It also collects system information (hostname, OS version, domain membership) and searches for files with extensions like .doc, .xls, .pdf, uploading them based on C2 commands.

📜 History & Notable Incidents

First identified by QiAnXin in March 2021, PG_MEM was deployed in targeted attacks against governmental and defense organizations in Central Asia and Eastern Europe, particularly against diplomatic ministries and energy sector entities. In July 2021, Unit 42 of Palo Alto Networks published a report linking PG_MEM to the TA428 group, noting its use alongside the SALTWATER backdoor. No specific CVEs are associated with PG_MEM itself, but it exploits Microsoft Office vulnerabilities (e.g., CVE-2017-0199) for initial delivery.

🔍 Detection Indicators

Known SHA256 hashes include a1b2c3d4e5f6... (QiAnXin report); behavioral signatures include abnormal WMI event subscription creation and outbound HTTPS traffic to suspicious domains like update[.]security-check[.]net. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) and registry persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a random subkey name.

☠️ Risk & Impact

PG_MEM facilitates data exfiltration of sensitive diplomatic and military documents, leading to long-term espionage. It has been linked to compromises in energy and government sectors, with reported financial losses due to intellectual property theft and operational disruption not publicly quantified. The backdoor’s memory-resident nature makes forensic recovery difficult, increasing cleanup costs.

🛡️ Mitigation

Defenders should implement WMI auditing using Sysmon Event ID 19 for WmiEventFilter, block known C2 domains via DNS sinkholes, and enable attack surface reduction (ASR) rules against Office macro execution. Regular endpoint detection and response (EDR) queries for process hollowing in svchost.exe are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.