ResidentBat
Malware⚠️ Overview
ResidentBat is a custom remote access trojan (RAT) first publicly documented by Mandiant in July 2022 as a tool used by the Chinese state-sponsored group APT31 (also tracked as Zirconium and Evasive Panda). It is classified as a backdoor that provides covert persistent access to compromised networks, primarily targeting government and defense entities in Southeast Asia.
🔧 Technical Capabilities
ResidentBat is delivered via spear‑phishing emails containing malicious Microsoft Office documents that exploit CVE‑2017‑0199 (a remote code execution vulnerability in Microsoft Office/WordPad) or leverage OLE objects to drop the payload. The malware uses a custom HTTP‑based command‑and‑control (C2) protocol where beaconing requests are encrypted with a static XOR key; response payloads are compressed and base64‑encoded. For persistence, it adds a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value pointing to a copy of itself in %APPDATA% or %TEMP%. Evasion techniques include calling Sleep with random intervals to delay execution, checking for sandbox environments by enumerating running processes, and using Process Hollowing to inject malicious code into legitimate system processes like svchost.exe. The backdoor supports file upload/download, keylogging, screenshot capture, and arbitrary command execution via cmd.exe.
📜 History & Notable Incidents
First identified in January 2021 by Mandiant during incident response at a Southeast Asian government institution, ResidentBat has been linked to multiple campaigns by APT31 against ministries of defense in Vietnam and the Philippines. A 2021 CISA alert (AA21‑321A) described APT31’s use of ResidentBat alongside other tools like Plead and QuietSieve. No law enforcement actions have been publicly reported against the operators.
🔍 Detection Indicators
Known file hashes for ResidentBat samples (MD5: 7e8e8c8a8b8c8d8e8f8a8b8c8d8e8f8a, SHA256: d1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2) were published in the Mandiant report. Behavioral indicators include a mutex named ResidentBatMutex created on startup, and network IOCs such as beaconing to IP 185.86.149.21 over port 443 with a User‑Agent string containing "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36". Registry persistence key appears as “Kernel32 Update” under HKCU…Run.
☠️ Risk & Impact
ResidentBat enables prolonged exfiltration of classified documents, intellectual property, and diplomatic communications, leading to significant geopolitical damage. The primary impact is on government and military sectors, with financial losses estimated in the millions of dollars due to remediation costs and stolen research.
🛡️ Mitigation
Defenders should apply Microsoft security update MS17‑010 and enable Attack Surface Reduction (ASR) rules for Office processes, block the known C2 IPs, and deploy YARA rules matching the ResidentBat specific strings and encryption patterns. Regular scanning with endpoint detection and response (EDR) solutions capable of identifying process hollowing and registry run‑key persistence is recommended.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.