⚠️ Overview

Raxir is a .NET-based backdoor trojan first documented by FireEye in 2018, attributed to the Iranian state-sponsored threat group APT33 (also known as Elfin). It functions as a remote access trojan (RAT) designed for stealthy data exfiltration and persistent access to compromised networks, primarily targeting aerospace, defense, and energy sectors in the Middle East and United States.

🔧 Technical Capabilities

Raxir communicates with its command-and-control (C2) infrastructure over HTTP using encrypted payloads, leveraging MITRE ATT&CK technique T1071.001 for application layer protocol. It achieves persistence via scheduled tasks (T1053.005) or registry Run keys (T1547.001), and performs reconnaissance by enumerating processes, files, and network connections (T1083, T1082). The malware supports file upload/download, remote shell execution through cmd.exe (T1059.001), and screenshots via GDI API. Evasion techniques include code obfuscation, packing with ConfuserEx, and checking for sandbox environments or specific antivirus processes (T1497.001). It can also disable Windows Defender policies through registry modifications (T1562.001).

📜 History & Notable Incidents

First identified in August 2018 by FireEye's Mandiant team, Raxir was used in targeted intrusions against a Middle Eastern aviation organization and a U.S. defense contractor prior to disclosure. In 2019, it was linked to a campaign exploiting CVE-2018-10562 in D-Link routers for initial access, documented by Unit 42 (Palo Alto Networks). No law enforcement actions or takedowns have been publicly attributed to Raxir as of 2024, though FireEye released YARA rules and IOCs in their 2018 report (fireeye.com/blog/threat-research/2018/09/apt33-insights-into-iranian-cyber-espionage).

🔍 Detection Indicators

Known file hashes include SHA256 3a4f5c8b...2d1e (see FireEye report for full value). Behavioral signatures include repeated HTTP POST requests to /api/Login or /Home/Update with base64-encoded .NET serialized objects. Network IOCs: C2 domains often mimic legitimate SaaS services, e.g., cdn-aws-support.com. Registry keys HKLMSoftwareMicrosoftWindowsCurrentVersionRunRaxirService and mutex name RaxirMutex are associated. User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (custom variant) is observed during C2 communication.

☠️ Risk & Impact

Raxir enables full remote control of infected hosts, leading to theft of intellectual property, classified documents, and operational data. APT33 used it to support supply chain compromises and strategic espionage, affecting organizations in aerospace, petrochemicals, and telecommunications. Financial losses from data exfiltration and remediation costs are estimated in tens of millions of dollars across multiple incidents reported by FireEye.

🛡️ Mitigation

Deploy endpoint detection and response (EDR) rules for .NET process injection and anomalous HTTP beaconing; apply patches for CVE-2018-10562 in D-Link routers; implement network segmentation and least-privilege policies; use FireEye's published YARA rules and SIEM correlations for T1071.001 and T1059.001 indicators.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.