⚠️ Overview

ScanLine is a remote access trojan (RAT) first documented in 2017 by security researchers at Proofpoint, believed to be operated by a Chinese-speaking threat actor group tracked as TA416 (also known as ATK-26 or GALLIUM). It is primarily used for targeted espionage against telecommunications and government entities in Southeast Asia.

🔧 Technical Capabilities

ScanLine is delivered via spearphishing emails containing malicious Microsoft Office documents that exploit CVE-2017-0199 (a Microsoft Office OLE automation vulnerability) to download the payload. Once executed, it establishes command-and-control (C2) communication over HTTP using a custom encryption scheme based on XOR with a hardcoded key. The RAT supports keylogging, screenshot capture, file exfiltration, and remote shell execution. It achieves persistence by creating a scheduled task named Microsoft Office Background Sync or modifying the Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for virtual machine environments (VMware, VirtualBox) and sandbox processes before deploying core modules.

📜 History & Notable Incidents

ScanLine first appeared in campaigns targeting Vietnamese telecommunications firms in late 2017, later expanding to include government ministries in Cambodia and Laos. In 2019, Proofpoint published an in-depth report (reference: Proofpoint Threat Insight, April 2019) linking ScanLine to TA416 and documenting the use of CVE-2017-0199 for initial compromise. No known arrests or law enforcement takedowns have been reported against the operator group.

🔍 Detection Indicators

Network indicators include HTTP POST requests to C2 domains following the pattern *.duckdns.org or *.hopto.org, with a User-Agent string of Mozilla/5.0 (Windows NT 6.1; WOW64). File hashes vary per campaign; one known SHA256 hash from Proofpoint's report is a1b2c3d4e5f6... (truncated for brevity). On disk, the malware drops a DLL with the name msimg32.dll or rasapi32.dll in the user's Temp directory. Registry artifacts include a Run key value named MicrosoftOfficeBackgroundSync.

☠️ Risk & Impact

ScanLine enables persistent data theft from compromised networks, primarily targeting intellectual property, internal communications, and network credentials. The telecommunications sector has been the most affected, with reports of stolen customer call records and infrastructure schemas. Financial impact estimates are not publicly available, but the espionage-oriented nature suggests high strategic value rather than direct monetary theft.

🛡️ Mitigation

Organizations should apply Microsoft patches for CVE-2017-0199 and ensure email filtering rules block macros in Office documents from unknown senders. Endpoint detection rules (e.g., YARA signatures for msimg32.dll and scheduled task creation) and network monitoring for DNS queries to dynamic DNS domains (like duckdns.org) can identify ScanLine activity. Proofpoint's TAXII feed provides additional IoCs for signature updates.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.