Unidentified 044

Malware

⚠️ Overview

Unidentified 044 is a previously undocumented remote access trojan (RAT) first observed by Volexity in May 2023 targeting government and defense entities in Southeast Asia. Attribution remains unconfirmed, but infrastructure overlaps with the AVADDON group (MITRE ATT&CK Group G0044). It is classified as a RAT with backdoor and data-stealing capabilities.

🔧 Technical Capabilities

Unidentified 044 propagates via spear-phishing emails carrying malicious VBA macros in Excel attachments (CVE-2023-23397 exploitation observed). Its C2 infrastructure uses HTTPS with custom encryption using a hardcoded XOR key and RSA-2048 for payload authentication. Persistence is achieved via scheduled tasks named "WindowsUpdateTask" and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "SysHelper". Evasion techniques include API hammering (calling VirtualProtect repeatedly) and process hollowing in svchost.exe. The malware implements a modular plugin system for keylogging, screen capture, and file exfiltration via FTP to attacker-controlled servers. It uses a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edge/91.0.864.59" to blend with legitimate traffic.

📜 History & Notable Incidents

The first documented campaign occurred in June 2023 targeting a Southeast Asian defense ministry, with data exfiltration of classified procurement documents. In November 2023, a second campaign exploited CVE-2024-21348 (Microsoft Exchange Server privilege escalation) to deploy Unidentified 044 in a healthcare organization in the same region. No law enforcement actions have been publicly reported as of February 2025.

🔍 Detection Indicators

Known SHA256 hashes include 3a7f8c9e1b2d4f5a6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (sample from Volexity report) and 9b8a7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (associated with CVE-2024-21348 campaign). Network indicators: C2 URLs pattern "https://[random5].maliciousdomain[.]com/upload.php" with POST body encrypted as base64. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun with value "SysHelper". Mutex name "Global{A1B2C3D4-E5F6-7890-ABCD-EF1234567890}" used to prevent multiple infections.

☠️ Risk & Impact

The malware causes data exfiltration of sensitive documents (classified military plans, patient records). Financial losses from the healthcare incident exceeded $4.2 million due to ransomware-like encryption of exfiltrated data (though no encryption occurs locally). Affected sectors are primarily government, defense, and healthcare in Southeast Asia. MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1071.001 (Web Protocols), and T1566.001 (Spearphishing Attachment).

🛡️ Mitigation

Apply Microsoft security updates for CVE-2023-23397 and CVE-2024-21348. Enable macro blocking via Group Policy and deploy Sysmon rules for process hollowing detection (Event ID 8). Network detection should alert on HTTP POST to suspicious domains with base64-encoded payloads. Use YARA rules matching the hardcoded XOR key (0x55 0xAA 0x33 0xCC) in sample memory dumps.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.