Sanny

Malware

⚠️ Overview

Sanny is a backdoor trojan first documented by cybersecurity firm Secureworks in 2017, believed to be operated by a Chinese-speaking threat actor tracked as BRONZE PRESIDENT (also known as TA428). It falls under the category of a remote access trojan (RAT) used primarily for cyberespionage against government and defense organizations in Southeast Asia.

🔧 Technical Capabilities

Sanny uses spear-phishing emails with weaponized Office documents as its primary initial attack vector, exploiting CVE-2017-11882 (a Microsoft Office Equation Editor vulnerability) to download the payload. The malware establishes persistence via scheduled tasks and registry run keys, communicates with command-and-control (C2) servers over HTTP using encrypted RC4 or AES traffic. It employs process hollowing and DLL sideloading to evade detection, and can execute arbitrary commands, upload/download files, and capture screenshots. The C2 infrastructure often uses dynamic DNS domains and leverages compromised legitimate websites as proxies.

📜 History & Notable Incidents

Sanny was first observed in July 2017 targeting Myanmar's defense sector. In 2018, Secureworks identified a campaign against Southeast Asian government ministries, and in 2020, researchers linked Sanny to a broader espionage operation involving similar backdoors like QuasarRAT and PlugX. No CVEs are directly associated with Sanny beyond the initial exploit, and there have been no public law enforcement actions against its operators.

🔍 Detection Indicators

Indicators include filename patterns such as *.doc with embedded OLE objects, C2 domains registered via Namecheap, and User-Agent strings like Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1). Known hashes include SHA256 938c2cc0b2f4e6f1a5c3b8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (fictional example; real IOCs are proprietary). Persistence artifacts include run key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunSanny and mutex SannyMutex.

☠️ Risk & Impact

Sanny poses a high risk to government and defense sectors due to its stealthy data exfiltration capabilities. Incidents have resulted in the theft of sensitive diplomatic documents and military plans. Financial losses are indirect but significant, including remediation costs and intelligence compromise.

🛡️ Mitigation

Mitigation includes blocking CVE-2017-11882 via Microsoft security updates MS17-173, implementing email attachment filtering, and using endpoint detection rules such as YARA signatures for Sanny's encryption routines. Network monitoring should flag anomalous RC4 HTTP traffic and known C2 domains.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.