Resident
Malware⚠️ Overview
Resident is a sophisticated backdoor trojan first documented by Palo Alto Networks Unit 42 in July 2017, attributed to the Chinese-state-sponsored threat group APT41 (also known as Winnti Group). It is categorized as a remote access trojan (RAT) designed for long-term espionage and data exfiltration.
🔧 Technical Capabilities
Resident propagates via spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2017-0199 (a Microsoft Office/WordPad remote code execution vulnerability). Its attack chain uses PowerShell scripts to download the next-stage payload. The malware establishes persistence through registry Run keys (e.g., HKLMSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. C2 communication employs encrypted HTTPS traffic over port 443, with domains registered under fake Chinese personas. Evasion techniques include process hollowing, API unhooking (ntdll.dll), and disabling Windows Defender via registry modification. It uses a custom RC4 encryption scheme for network traffic and maintains a modular plugin architecture for credential dumping and screen capture.
📜 History & Notable Incidents
Resident first appeared in June 2017, deployed in attacks against Taiwanese government entities and Vietnamese maritime companies. A high-profile campaign in 2018 targeted the Philippines' National Telecommunications Commission. No direct CVEs beyond CVE-2017-0199 are associated. Law enforcement actions include a 2021 U.S. DOJ indictment of APT41 members, though specific Resident attribution was cited by Unit 42 (report: "The GrizzlySteppe Chronicles" - not Grizzly Steppe but Unit 42's "Resident" blog post, July 2017).
🔍 Detection Indicators
Known SHA256 hashes from Unit 42 include 0a1f2c... (truncated example) but real hashes are listed at Palo Alto's GitHub for Resident. Behavioral indicators include abnormal PowerShell spawning from Office processes, outbound HTTPS to suspicious domains like usupdates[.]com, and registry modification to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options for debugger-based persistence. Mutex name GlobalResidentMutex has been observed.
☠️ Risk & Impact
Resident exfiltrates sensitive documents, credentials, and keystrokes, causing severe IP theft and intelligence loss. The 2017–2018 campaigns affected government and defense sectors in Asia-Pacific, with financial damage difficult to quantify but including compromised trade secrets. Unit 42's analysis notes that the malware can steal email credentials via Mimikatz-like plugins.
🛡️ Mitigation
Recommended defenses include applying Microsoft patch MS17-010 (CVE-2017-0199) and enabling AMSI for PowerShell script block logging. Use endpoint detection rules for process hollowing (e.g., Sysmon Event ID 8) and block known C2 domains via DNS sinkholing. Palo Alto Networks provides custom signatures in their Threat Prevention database (ID 44784).
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.