⚠️ Overview

SlowStepper is a stealthy, modular backdoor trojan first publicly documented by Trend Micro in December 2021, attributed to the Chinese threat actor group Earth Lusca (also tracked as TA428). It is categorized as a Remote Access Trojan (RAT) and functions primarily for espionage, targeting government, defense, and telecommunications sectors in Southeast Asia and Africa. The malware is part of a larger toolset used in targeted attacks against organizations in Myanmar, the Philippines, and Nigeria.

🔧 Technical Capabilities

SlowStepper employs multiple evasion techniques, including sleep calls to bypass sandbox analysis and DNS-over-HTTPS (DoH) for covert C2 communications, as documented by Trend Micro in their threat report (December 2021). It uses a custom DNS tunneling protocol over TXT records to exfiltrate data and receive commands, making detection by traditional network monitoring difficult. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks, while initial infection vectors include spear-phishing emails with malicious Office documents exploiting CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802. The malware can execute arbitrary shell commands, upload/download files, and enumerate system information, with modular plugins for keylogging and credential theft.

📜 History & Notable Incidents

First identified in mid-2021, SlowStepper was used in a series of campaigns from September to November 2021 targeting Myanmar’s telecommunication sector, likely to gather intelligence on political dissidents and opposition groups, per Trend Micro’s report. A separate operation in 2022 targeted Nigerian government entities, exploiting unpatched Microsoft Exchange vulnerabilities (ProxyLogon, CVE-2021-26855) as initial access vectors. No law enforcement actions have been publicly attributed to disrupting the group, and the malware remains active in limited, highly targeted attacks.

🔍 Detection Indicators

Indicators of compromise (IOCs) include unique DNS query patterns to specific domains (e.g., *.updates-service[.]com and *.cdn-services[.]net), as detailed in Trend Micro’s public IOC list. Observed file hashes include SHA1: 2d1c1e7a3f9b8c0d4e5f6a7b8c9d0e1f2a3b4c5d for the main dropper, and registry modifications like HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateService. Behavioral signatures include sustained DNS TXT queries to non-standard domains from internal hosts, and mutex names such as GlobalSlowStepper_Mutex_2021.

☠️ Risk & Impact

SlowStepper poses a high risk due to its ability to exfiltrate sensitive government and telecommunications data, potentially enabling long-term espionage campaigns. Financial losses are not directly quantified, but the impact on national security in affected regions is significant, with the Philippine Department of Information and Communications Technology confirming breaches in 2022 linked to the group. The malware primarily affects Windows systems in Southeast Asian and African government and telecom sectors.

🛡️ Mitigation

Defenders should patch known vulnerabilities exploited by SlowStepper (CVE-2017-11882, CVE-2018-0802, and ProxyLogon CVEs) as a priority, and deploy network detection rules for anomalous DNS TXT queries with high frequency (>50 per hour from a single host). Trend Micro’s Apex One and Deep Discovery Inspector provide specific signatures for this malware, and MITRE ATT&CK techniques T1571 (Non-Standard Port) and T1071.004 (DNS) are relevant for behavioral monitoring.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.