Reaver

Malware

⚠️ Overview

Reaver is a Linux-based backdoor trojan first documented in June 2017 by Palo Alto Networks’ Unit 42, attributed to the Chinese state-sponsored threat group APT10 (also known as Stone Panda, MENSA, or Red Apollo). It is classified as a remote access trojan (RAT) designed to exfiltrate data from compromised organizations, primarily targeting managed service providers (MSPs) and telecommunications firms in South Korea, Japan, and the United States.

🔧 Technical Capabilities

Reaver propagates via spear-phishing emails containing Microsoft Office documents with malicious macros, dropping a first-stage loader that decrypts and executes the main payload. The backdoor communicates with command-and-control (C2) servers over HTTP or HTTPS using a custom encryption scheme (XOR combined with RC4) and is capable of executing arbitrary commands, file upload/download, and creating remote shells. It achieves persistence through cron jobs on Linux systems and by modifying /etc/rc.local or using systemd services. Evasion techniques include encrypting network traffic with a hardcoded key, using user-agent strings mimicking legitimate browsers (e.g., “Mozilla/5.0 (Windows NT 6.1; WOW64)”), and checking for sandbox or debugger environments by analyzing process lists and kernel modules.

📜 History & Notable Incidents

First identified by Unit 42 in mid-2017, Reaver was used in a breach of a Japanese telecommunications provider in November 2017, resulting in the theft of customer personal data. In 2018, APT10 employed Reaver in campaigns targeting South Korean aerospace and defense contractors, exploiting no specific CVEs but relying on social engineering. Law enforcement action against APT10 is limited, though the U.S. Department of Justice indicted a Chinese state actor in 2018 for related activities (MITRE ATT&CK ID: G0043 for APT10).

🔍 Detection Indicators

Known file hashes for Reaver samples include SHA256 a3d8e1f2b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 (example; actual hashes vary). Behavioral signatures include outbound HTTP POST requests to IP addresses in China (e.g., 45.76.XX.XX) with a custom "X-Requested-With" header. Registry keys are not applicable for Linux; instead, file system indicators include dropped binaries named systemd-logind or cron-update. A unique mutex is not used; instead the process name “rsyncd” or “sshd” masquerades as legitimate services.

☠️ Risk & Impact

Reaver enables persistent remote access, allowing threat actors to exfiltrate sensitive data including intellectual property, customer records, and network credentials. Financial losses from APT10 campaigns using Reaver are estimated in the hundreds of millions of dollars, with the MSP sector being hardest hit due to supply-chain cascading attacks. Affected industries include telecommunications, aerospace, and defense.

🛡️ Mitigation

Defenders should implement email filtering for malicious macros, enable multi-factor authentication, and deploy endpoint detection and response (EDR) solutions with signatures for Reaver’s C2 communication patterns. Palo Alto Networks provides detailed detection rules in their Unit 42 report, and the MITRE ATT&CK framework suggests using threat intelligence feeds for APT10 indicators (T1071.001). Regular patching of Linux systems and application whitelisting can reduce the attack surface.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.