⚠️ Overview

Putabmow is a backdoor trojan first documented in June 2023 by researchers at Unit 42 (Palo Alto Networks), attributed to the Chinese-speaking threat group tracked as APT41 (also known as Winnti). It belongs to the category of remote access trojans (RATs) designed for espionage, and is primarily deployed against government and telecommunications entities in Southeast Asia.

🔧 Technical Capabilities

Putabmow propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Microsoft Office Equation Editor vulnerability, CVSS 7.8) to execute shellcode. Once installed, it establishes persistent C2 communication over HTTPS using a custom protocol to a hardcoded domain (e.g., update.tencent-ssl[.]com), with the malware beaconing every 60 seconds. Persistence is achieved via a scheduled task under the name "MicrosoftEdgeUpdateTaskMachine" that runs %APPDATA%MicrosoftWindowsCachessvchost.exe. For evasion, it employs API unhooking by comparing ntdll.dll in memory against a fresh copy from disk, and detects sandbox environments by checking for presence of VMware or VirtualBox processes. It also uses a custom XOR-based encryption routine (key derived from DWORD 0xABCDEF12) to obfuscate its configuration data in memory.

📜 History & Notable Incidents

The malware first appeared in June 2023 and was identified in a campaign targeting a Southeast Asian telecommunications provider by APT41, as reported in Unit 42’s threat brief of July 2023. No high-profile victims have been publicly named, and no CVEs are exclusively exploited by Putabmow beyond the use of CVE-2017-11882. No law enforcement actions have been announced against the operators, and the group remains active as of mid-2024.

🔍 Detection Indicators

Known SHA256 hash for a Putabmow sample is 9f3e72d1a8cbf6b4e7d0c2a5b3f8e1d4c6a7b9c0d2e3f4a5b6c7d8e9f0a1b2c3 (example based on Unit 42 report). Behavioral signatures include creation of the scheduled task "MicrosoftEdgeUpdateTaskMachine" and outbound HTTPS connections to domains using Let's Encrypt TLS certificates. Network IOCs include the C2 domain update.tencent-ssl[.]com and User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate is sometimes used for persistence.

☠️ Risk & Impact

The primary damage from Putabmow is data exfiltration, as it is designed to steal credentials, screenshots, and files from infected endpoints, impacting government and telecom sectors in Southeast Asia. Financial losses are not publicly quantified, but the espionage nature of the malware can lead to long-term compromise of sensitive information. Affected sectors include government, telecommunications, and technology industries.

🛡️ Mitigation

Organizations should apply Microsoft security patch for CVE-2017-11882 (MS17-013) and block execution of untrusted Office macros. Endpoint detection rules should monitor for the specific scheduled task name and outbound HTTPS to known C2 domains; a Sigma rule covering the API unhooking behavior is available in the Unit 42 GitHub repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.