⚠️ Overview

ReactorBot is a modular malware loader and backdoor first documented by cybersecurity firm Proofpoint in February 2022. It is attributed to the threat actor tracked as TA551 (also known as Shathak), a Russian-speaking cybercriminal group that has historically distributed Ursnif, IcedID, and other banking trojans through email campaigns. ReactorBot functions as a stealthy remote access trojan (RAT) and malware downloader, primarily used for initial access and payload delivery in targeted intrusions.

🔧 Technical Capabilities

ReactorBot is delivered via malicious Microsoft Office documents (often XLS or VBA macros) in phishing emails with themes like invoices or shipping notifications. Once executed, it establishes persistence via registry run keys and scheduled tasks. The malware communicates with its command-and-control (C2) infrastructure over HTTPS using a custom HTTP POST mechanism that disguises traffic as benign API calls (e.g., to /api/register). It employs AES-256 encryption for data exfiltration and RC4 for string obfuscation. To evade detection, ReactorBot uses API hashing to resolve Windows API functions dynamically and injects malicious code into legitimate processes like explorer.exe or svchost.exe using process hollowing. The loader supports a modular architecture that can fetch and execute additional payloads, such as IcedID or BumbleBee, directly from the C2 server. It also checks for sandbox environments by verifying mouse movement or system uptime.

📜 History & Notable Incidents

ReactorBot was first identified in February 2022 by Proofpoint researchers during a campaign distributing IcedID and BumbleBee. A notable incident in March 2022 saw ReactorBot used as a initial access vector in attacks against European transportation and logistics organizations. No specific CVE has been associated exclusively with ReactorBot, but it exploits Microsoft Office vulnerabilities (e.g., CVE-2017-11882) via macro-enabled documents. As of early 2024, ReactorBot remains active, with Proofpoint tracking multiple campaigns targeting manufacturing and financial services sectors.

🔍 Detection Indicators

Known indicators of compromise include C2 domains such as cdn-zdserv[.]com and mservice-net[.]com (Proofpoint, 2022), and registry persistence keys at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with random six-character names. Behavioral signatures include HTTP POST requests to paths like /api/register or /api/update with Base64-encoded data. Mutex names such as ReactorMutex_5742 have been observed. Detections via YARA rules by Proofpoint target the malware’s RC4 key generation and process injection routines.

☠️ Risk & Impact

ReactorBot poses a high risk as a trojan loader that can deploy ransomware (e.g., targeting backup data) and information stealers. Documented impacts include data exfiltration of financial records and operational documents from manufacturing firms, leading to business disruption and potential intellectual property theft. The financial services and transportation sectors are most frequently targeted, with campaigns in Germany and the Netherlands reported in 2023.

🛡️ Mitigation

Defenders should implement email filtering to block macro-enabled attachments, enable Microsoft Office macro security settings, and deploy endpoint detection and response (EDR) tools with YARA rules from Proofpoint’s repository. Network monitoring should flag suspicious HTTPS POST requests to unknown domains. Regular patch management for Office vulnerabilities (e.g., CVE-2017-11882) is critical. Detailed guidance is available in Proofpoint’s 2022 report “ReactorBot: A New Loader from TA551.”

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.