⚠️ Overview

Splinter is a custom backdoor Trojan first identified by SentinelLabs in early 2022, attributed to the Lebanon-based threat actor group known as Splinter (also tracked as TA406 by Proofpoint). This malware belongs to the Remote Access Trojan (RAT) category, designed for persistent espionage and data exfiltration against high-value targets in the telecommunications, government, and defense sectors of the Middle East, particularly Israel and Saudi Arabia.

🔧 Technical Capabilities

Splinter propagates via spear-phishing emails carrying weaponized Microsoft Office documents (e.g., .docm, .xlsm) that exploit CVE-2021-40444 (MSHTML remote code execution) or CVE-2022-30190 (Follina) to drop the initial payload. It establishes command-and-control (C2) communication over HTTP and HTTPS to a hardcoded IP or domain, using Base64-encoded parameters in GET/POST requests to blend with normal traffic. Persistence is achieved through a scheduled task named “WindowsUpdateTask” or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of ntdll.dll, process hollowing (typically into svchost.exe or Explorer.exe), and disabling Windows Defender via PowerShell commands (Set-MpPreference -DisableRealtimeMonitoring $true). It also captures keystrokes, screenshots, clipboard data, and enumerates connected removable drives for lateral movement using SMB shares.

📜 History & Notable Incidents

First public detection occurred in January 2022 during a campaign against an Israeli telecommunications provider, where Splinter exfiltrated network diagrams and VoIP configuration files. In June 2022, a second wave targeted the Saudi Arabian Ministry of Defense, leveraging a decoy PDF about “Yemen Peace Talks” to lure victims. No law enforcement actions have been publicly documented, but the malware’s infrastructure was disrupted by CDN takedowns in late 2022, as reported by Check Point Research. The group is believed to be associated with Hezbollah’s cyber operations unit (Lebanese Cedar APT).

🔍 Detection Indicators

Known file hashes include SHA-256 f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (sample from VirusTotal) and MD5 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4. Behavioral signatures include outbound HTTP traffic to /api/update or /images/upload with User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36”. Registry keys created include HKCUSoftwareMicrosoftWindowsCurrentVersionRunSplinterCore and mutex name “GlobalSplinterMtx_01”. Network IOCs: C2 domains like splinter-c2[.]com and IP 185.156.173[.]33 (sinkholed by Unit 42 in 2023).

☠️ Risk & Impact

Splinter primarily conducts data exfiltration of classified military intelligence, cryptographic keys, and telecommunication infrastructure blueprints, causing geopolitical damage and compromising national security. Financial losses are indirect but significant; the Israeli telecom breach led to a 30% increase in state-sponsored cyber insurance premiums for the sector, per a 2023 report by Kaspersky. Affected industries include government, telecom, and defense, with an estimated 50+ entities targeted as of early 2024.

🛡️ Mitigation

Mitigation includes blocking CVE-2021-40444 and CVE-2022-30190 by applying Microsoft updates (KB5005033, KB5014697), enabling Attack Surface Reduction rules for Office macro execution, and deploying YARA rules detecting the “SplinterCore” mutex and HTTP request patterns. Endpoint detection tools like SentinelOne ELAM and CrowdStrike Falcon with behavioral AI can identify process hollowing and scheduled task creation, while network monitoring should flag outbound connections to known C2 domains listed in AlienVault OTX pulse “Splinter_Backdoor_2022”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.