SoreFang
Malware⚠️ Overview
SoreFang is a modular backdoor malware first documented by Trend Micro in October 2020, attributed to the advanced persistent threat (APT) group known as TA428 (also tracked as Bronze Starlight). It belongs to the category of remote access trojans (RATs) and is primarily used for espionage operations targeting government entities in Southeast Asia, particularly Myanmar.
🔧 Technical Capabilities
SoreFang propagates through spear-phishing emails containing weaponised Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop a DLL loader. Its primary payload is deployed via DLL side-loading using legitimate Windows binaries such as mstsc.exe or wlbsctrl.dll, allowing it to blend into normal process activity. The malware communicates with command-and-control (C2) servers over encrypted HTTPS channels using a custom protocol that mimics legitimate web traffic, with User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0. It establishes persistence through scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunSoreFang). Evasion techniques include checking for sandbox environments, anti-debugging via NtQueryInformationProcess, and encrypting its configuration with RC4. SoreFang also possesses file upload/download, remote shell execution, screen capture, and keylogging modules.
📜 History & Notable Incidents
SoreFang first appeared in early 2020, with Trend Micro’s report (October 2020) detailing its use in campaigns against Myanmar’s Ministry of Defense and other government agencies. In 2021, further attacks were observed targeting the Myanmar Ministry of Foreign Affairs, coinciding with the country’s political instability. No major law enforcement actions have been publicly recorded against the SoreFang operator (TA428), but the malware continues to be active in Southeast Asian cyber-espionage operations.
🔍 Detection Indicators
Known SHA-256 hashes include d6a8feb9c1e3b2a4f5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7 (sample from Trend Micro). Behavioral indicators include the creation of a mutex named SoreFangMutex and persistence via the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSoreFang. Network indicators comprise C2 domains following a pattern of *.php files hosted on compromised legitimate websites, with POST requests containing encrypted base64 blobs. The malware also drops files in %APPDATA%MicrosoftWindowsCaches with names like dbghelp.dll or sore.dll.
☠️ Risk & Impact
SoreFang’s primary impact is the exfiltration of sensitive government and diplomatic documents, often leading to significant geopolitical intelligence losses. Affected sectors include national defense, foreign affairs, and internal security agencies in Myanmar and neighbouring countries. Financial losses are indirect but substantial, as stolen intelligence can be leveraged for political coercion or sold on dark web markets.
🛡️ Mitigation
Organisations should apply Microsoft’s security update for CVE-2017-11882, enforce application whitelisting to block DLL side-loading, and deploy endpoint detection and response (EDR) tools that detect SoreFang’s process injection and persistence techniques. Network defenders can block C2 domains identified in Trend Micro’s IOCs and monitor for User-Agent strings matching the malware’s custom Firefox profiles. MITRE ATT&CK IDs associated with SoreFang include T1055.001 (Process Injection) and T1071.001 (Web Protocols).
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.