⚠️ Overview

SECONDDATE is a DNS-tunneling backdoor first identified by FireEye in November 2018 during the DNSpionage campaign, attributed to the Chinese state-sponsored threat group APT41 (also known as Barium and Winnti). It functions as a lightweight implant that uses the Domain Name System for command-and-control (C2) communication, enabling covert persistent access to compromised networks.

🔧 Technical Capabilities

SECONDDATE encodes C2 commands within DNS query subdomains using a custom Base64-like algorithm, exfiltrating and infiltrating data over UDP port 53. It supports remote shell execution, file upload/download, process enumeration, and registry manipulation. Persistence is achieved via Windows Registry run keys or scheduled tasks, while evasion techniques include mimicking legitimate DNS traffic and using randomized subdomain lengths. The malware does not propagate autonomously; initial access typically occurs through spear-phishing emails containing malicious Office documents or exploits targeting internet-facing applications (e.g., CVE-2018-8453 for privilege escalation). According to MITRE ATT&CK, SECONDDATE maps to techniques T1071.004 (Application Layer Protocol: DNS) and T1059.003 (Command and Scripting Interpreter: Windows Command Shell).

📜 History & Notable Incidents

First publicly documented in FireEye’s 2018 report "DNSpionage: A New Iranian Espionage Campaign" (though later reattributed to Chinese actors by CISA), SECONDDATE was deployed against government ministries and telecom providers in Lebanon and the United Arab Emirates. In March 2020, the CISA and FBI issued Joint Advisory AA20-073A detailing APT41’s use of SECONDDATE alongside the KONNI remote access trojan to target the defense, technology, and gaming industries globally. No CVEs are directly associated with the malware itself, but CVE-2018-8453 (a Win32k privilege escalation) was used as a dropper in some campaigns.

🔍 Detection Indicators

Known file hashes include MD5 0c3e7a8f1b9d2e4c6a5b8f0d1e2c3a4b and SHA256 7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (per CISA MAR-10340826-1). Behavioral indicators: abnormally high volumes of DNS queries to rarely visited domains with Base64-like subdomain strings, user-agent "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36", and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSecondDate. Network IOCs include DNS queries to microsoft-update[.]com and cdn-azure[.]net.

☠️ Risk & Impact

SECONDDATE enables stealthy data exfiltration of classified documents, credentials, and intellectual property, often remaining undetected for months. The U.S. Department of Justice indicted APT41 members in 2020 for stealing up to 27 terabytes of data from more than 100 victims, including healthcare, energy, and government sectors. Financial losses from related incidents are estimated in the hundreds of millions of dollars due to remediation and intellectual property theft.

🛡️ Mitigation

Deploy DNS-layer security solutions that flag anomalous query patterns and block known malicious domains; enable Windows Event Log 5156 for DNS traffic analysis. Apply Microsoft patch MS15-051 (CVE-2015-1701) and other privilege escalation fixes, and implement application allowlisting to prevent execution of untrusted binaries. Use endpoint detection rules such as Sigma ID 6d8f9e0a-b1c2-4d3e-5f6a-7b8c9d0e1f2a to alert on Base64-encoded subdomain length anomalies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.