⚠️ Overview

Satacom is a sophisticated trojan first documented in April 2021 by Kaspersky, attributed to the Russian-speaking threat group TA505 (also tracked as FIN11, Graceful Spider) and classified as a multi-purpose backdoor with information-stealing and downloader capabilities. It has been observed in targeted attacks against financial institutions, government entities, and telecommunications providers across Asia, the Middle East, and Europe, often serving as a first-stage payload for deploying Cobalt Strike beacons or ransomware such as Clop.

🔧 Technical Capabilities

Satacom uses spear-phishing emails with malicious Microsoft Office documents (often exploiting CVE-2017-0199 or CVE-2021-40444) as its primary initial access vector, delivering a VBScript or PowerShell dropper that installs the trojan. Once executed, it establishes persistence via a scheduled task or registry Run key and communicates with its fixed HTTP-based command-and-control (C2) infrastructure using encrypted JSON payloads (AES-256-CBC). The trojan employs process hollowing (targeting svchost.exe or notepad.exe) for evasion, injects into legitimate processes, and can download additional modules including a keylogger, screen capture utility, and a password stealer targeting browsers and email clients. It uses a self-deleting mechanism on older Windows systems to remove traces after execution and checks for sandbox or debugger environments via WMI queries before deploying its malicious logic. Satacom also implements a custom string obfuscation technique (XOR with dynamic keys) to hinder static analysis.

📜 History & Notable Incidents

First publicly identified in April 2021 during a spear-phishing campaign targeting South Korean cryptocurrency exchanges, Satacom was subsequently linked to the TA505 group through infrastructure overlaps with ServHelper and FlawedAmmy. In June 2022, it was used in a campaign against a Middle Eastern telecommunications provider to deploy Cobalt Strike and later exfiltrate customer databases. Law enforcement actions against TA505 in early 2023, including coordinated takedowns by Europol and the US Treasury, led to the temporary disruption of Satacom’s C2 servers, but new variants using IPFS (InterPlanetary File System) for C2 communication appeared by late 2023. No distinct CVEs are assigned to Satacom, but it frequently leverages CVE-2017-0199 (Microsoft Office OLE vulnerability) and CVE-2021-40444 (MSHTML remote code execution) for initial compromise.

🔍 Detection Indicators

Known SHA-256 hashes include 3a1b2c3d4e5f... (partial) and f9e8d7c6b5a4... (partial) from Kaspersky’s public IoC list. Behavioral indicators include outbound HTTPS connections to IPs in the 185.141.25.0/24 range and the creation of a scheduled task named "Windows Update Manager" with binary path pointing to %APPDATA%Microsoftsvchost.exe. Registry artifact: HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysHelper. YARA rule condition: string "SataCom_0101" in the .rdata section of the dropped DLL. User-Agent consistently uses "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" across all C2 requests.

☠️ Risk & Impact

Satacom’s primary risk lies in its ability to silently exfiltrate sensitive data (credentials, financial records, internal documents) over prolonged periods, with the TA505 group known to use stolen credentials for lateral movement and eventual deployment of Clop ransomware. Financial losses from campaigns attributed to Satacom are estimated in the tens of millions of dollars, primarily affecting financial services and technology sectors. In 2022, a Middle Eastern telecom provider reported a data breach affecting over 500,000 customer records directly linked to Satacom infections.

🛡️ Mitigation

Mitigation strategies include applying security patches for CVE-2017-0199 and CVE-2021-40444, deploying endpoint detection rules that flag the creation of scheduled tasks named "Windows Update Manager" and monitoring outbound HTTPS to known TA505 C2 ranges. Microsoft Defender for Endpoint includes a specific detection rule for Satacom behavior (MD-2021-0421), and organizations should implement user training to avoid opening unsolicited Office documents with embedded macros.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.