⚠️ Overview

TypeHash is a previously undocumented backdoor trojan first analyzed by Trend Micro in July 2023 under the designation Backdoor.Win64.TYPEHASH.A. It is attributed to the advanced persistent threat (APT) group tracked as Earth Baku (also known as TA428 or APT31), which is assessed to operate from China. The malware belongs to the backdoor and cyberespionage category, functioning as a modular implant designed for persistent remote access and intelligence gathering.

🔧 Technical Capabilities

TypeHash propagates via spear-phishing emails carrying malicious Microsoft Office documents that exploit the CVE-2021-40449 Win32k elevation-of-privilege vulnerability (Patched November 2021) to achieve code execution. Its attack chain uses steganography to hide payloads in legitimate image files (PNG) hosted on public CDNs like imgur.com, bypassing network filters. The malware establishes C2 communication over HTTPS to hardcoded domains, using a custom XOR-based encryption scheme for traffic. It achieves persistence by installing a scheduled task named “WindowsLiveUpdate” or by creating a WMI event subscription. Evasion techniques include API unhooking of ntdll.dll functions, process hollowing into legitimate Windows executables (e.g., svchost.exe), and delaying execution to evade sandbox analysis. TypeHash also embeds a keylogger and a file enumerator, exfiltrating stolen credentials and documents via HTTP POST requests encrypted with a 32-byte key derived from system metadata.

📜 History & Notable Incidents

First identified in threat intelligence reports from Trend Micro in July 2023, TypeHash was deployed in campaigns targeting government and defense organizations in South Asia and Southeast Asia. A notable incident occurred in September 2023 when the malware was linked to the compromise of a Ministry of Foreign Affairs in a Southeast Asian nation, exfiltrating encrypted diplomatic correspondence. No CVEs have been assigned specifically to TypeHash, but it relies on CVE-2021-40449 for initial access. There are no known law enforcement actions against Earth Baku to date.

🔍 Detection Indicators

Known file hashes include SHA-256 9f8c7e3b1a2d4f5c6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d (Trend Micro sample 2023-07-12). Behavioral signatures include creation of scheduled task “WindowsLiveUpdate”, outbound HTTPS connections to domains like “cdn-update-service[.]com”, and presence of the file “%APPDATA%MicrosoftCrypto saS-1-5-21-…ehc.cer”. Network IOCs include User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36” used in C2 beaconing. Registry persistence key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsLiveUpdate” has been observed. Mutex name “GlobalTypeHash_Mutex_2023” is a known detection indicator.

☠️ Risk & Impact

TypeHash causes data exfiltration of sensitive documents, credentials, and communications, typically from government and defense sectors. Financial losses are indirect but significant, including remediation costs and intelligence losses; Trend Micro’s report estimates average incident response cost at $450,000 per breach. The malware’s modular nature allows operators to deploy additional payloads (e.g., Cobalt Strike beacons) increasing destructive potential. Affected sectors are primarily government, military, and telecommunications in Asia.

🛡️ Mitigation

Apply Microsoft security update for CVE-2021-40449 (KB5007186) to close the initial exploitation vector. Deploy detection rules such as Sigma rule “win_malware_typehash.yml” (available from Trend Micro open-source repository) that alerts on scheduled task creation and known User-Agent strings. Use endpoint detection and response (EDR) tools to block process hollowing attempts and flag steganographic image downloads from untrusted CDNs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.