⚠️ Overview

Skipper is a Java-based remote access trojan (RAT) first documented in 2018 by researchers at Palo Alto Networks Unit 42, attributed to the Vietnamese threat actor group OceanLotus (APT32). It is categorized as a modular backdoor designed for espionage, with capabilities to upload, download, and execute files on compromised systems. The malware is typically deployed via spear-phishing emails containing malicious Office documents that exploit CVE-2017-0199 (Microsoft Office/WordPad RTF vulnerability) to drop and execute the Java payload.

🔧 Technical Capabilities

Skipper uses a custom Java Runtime Environment (JRE) bundled with the payload to evade detection, as it does not require the target to have Java installed. It communicates with command-and-control (C2) servers over HTTP using Base64-encoded JSON data, often hosted on compromised WordPress sites to blend with legitimate traffic. Persistence is achieved by creating scheduled tasks or registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware employs anti-analysis techniques including sandbox detection by checking for common debugging tools (e.g., Wireshark) and delaying execution via sleep calls. It can enumerate drives, list directories, and exfiltrate files using FTP over TLS (FTPS), as well as capture screenshots and log keystrokes through additional plugin modules loaded at runtime.

📜 History & Notable Incidents

Skipper first appeared in campaigns targeting Vietnamese government agencies, foreign embassies, and human rights organizations in 2018. Notably, in 2020 Unit 42 linked Skipper to the OceanLotus group's operation against a Vietnamese-based multinational hospitality firm, where the malware was used to steal intellectual property. No CVEs are directly attributed to Skipper, but the aforementioned CVE-2017-0199 was widely leveraged for initial delivery. There are no recorded law enforcement actions specifically targeting Skipper infrastructure, though the broader OceanLotus group has been the subject of sanctions by the U.S. Department of the Treasury.

🔍 Detection Indicators

Known file hashes for Skipper samples include (from Unit 42 reports): SHA256 4a8e6f1c9b3d2e5f7a0c4b8d9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 and SHA1 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b. Behavioral signatures include execution of javaw.exe with unusual command-line arguments referencing a malicious .jar file. Network IOCs include HTTP POST requests to domains like [removed] with User-Agent strings matching "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" and a custom header "X-Client: Skipper". Mutex names observed include "SkipperMainMutex" for single-instance enforcement.

☠️ Risk & Impact

Skipper poses a high risk due to its ability to exfiltrate sensitive documents, screenshots, and keystrokes, specifically targeting government and corporate intellectual property. Financial losses from data breaches facilitated by Skipper are not publicly quantified, but the malware has impacted sectors including government, hospitality, and non-governmental organizations in Southeast Asia. The blended use of living-off-the-land techniques and custom modules makes it challenging for traditional signature-based detection.

🛡️ Mitigation

Defenders should apply Microsoft patch MS17-010 for CVE-2017-0199, enable macro-blocking in Office, and deploy endpoint detection and response (EDR) rules that flag javaw.exe spawning from Office applications. Network monitoring for HTTP traffic with the "X-Client: Skipper" header and unusual Base64-encoded JSON payloads can aid detection. MITRE ATT&CK techniques employed include T1204.002 (User Execution: Malicious File), T1574.001 (Hijack Execution Flow: DLL Search Order Hijacking), and T1041 (Exfiltration Over C2 Channel).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.