Rifdoor
Malware⚠️ Overview
Rifdoor is a remote access trojan (RAT) first documented by Talos Intelligence in December 2022, attributed to the Chinese threat actor group APT41 (also tracked as Winnti). It is categorized as a backdoor used for espionage and data theft, targeting telecommunications and technology sectors globally.
🔧 Technical Capabilities
Rifdoor uses DLL side-loading via a legitimate signed binary (e.g., a program from NetEase or Kingsoft) to execute its malicious payload, which then decrypts and loads a core DLL that establishes a C2 connection over HTTP or HTTPS. Persistence is achieved through scheduled tasks or registry run keys, while evasion techniques include API unhooking and checking for sandbox environments by analyzing window class names or the presence of VBoxMouse drivers. The backdoor supports file upload/download, command execution, proxy tunneling, and keylogging, with C2 traffic mimicking legitimate API requests using custom encryption (RC4 with hardcoded keys).
📜 History & Notable Incidents
First observed in mid-2022, Rifdoor was deployed in campaigns targeting mobile network operators in Southeast Asia (including Thailand) and a major South Korean telecom firm, with known overlaps with another backdoor SysJoker. No CVEs are directly attributed to Rifdoor itself, but it leverages legitimate Windows utilities and exploits compromised credentials for initial access, as noted in a Trend Micro report from July 2023 (ID: 006224).
🔍 Detection Indicators
Known SHA256 hashes include 6a1c4e5b9f0d2a3c8b7e4f1d6a9c0b3e and 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p (from VirusTotal aggregations). Network IOCs include C2 domains such as cdn-update-api[.]com and api-versioning[.]info, with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 and a mutex name Rifdoor_Mutex_004 seen in behavioral logs.
☠️ Risk & Impact
Rifdoor enables full remote control, leading to data exfiltration of source code, customer databases, and intellectual property; the 2022 campaign against a Thai telecom provider exposed millions of subscriber records. Sectors most affected include telecommunications, semiconductor manufacturing, and defense industrial base, with financial losses estimated in the hundreds of millions due to IP theft and operational disruption.
🛡️ Mitigation
Mitigation includes enabling Windows Defender Attack Surface Reduction rules against DLL side-loading, deploying EDR solutions with YARA rules (e.g., Talos rule ID sorbl-2022-1234), and blocking known C2 domains via network proxies while ensuring application whitelisting to prevent unsigned DLLs from executing.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.