Unidentified 045

Malware

⚠️ Overview

Unidentified 045 is a previously undocumented remote access trojan (RAT) first identified by Fortinet's FortiGuard Labs in April 2022 during a targeted campaign against Southeast Asian government entities. The malware family, designated as "Unidentified 045" by the researchers due to its lack of known associations with existing threat groups, was attributed to an advanced persistent threat (APT) actor tentatively linked to Chinese state-sponsored activity based on infrastructure overlaps reported by Recorded Future in June 2022. It belongs to the RAT and information stealer category, featuring modular capabilities for credential theft, keylogging, and screen capture.

🔧 Technical Capabilities

Unidentified 045 propagates through spear-phishing emails containing weaponized Microsoft Office documents (CVE-2021-40444 exploited as documented in MITRE ATT&CK ID T1193). The malware employs a custom encryption protocol for C2 communication over HTTPS to mimic legitimate traffic, utilizing domains registered through privacy services. Persistence is achieved via a Windows scheduled task that executes the main payload from a camouflaged file in the %APPDATA% folder. Evasion techniques include process hollowing (MITRE ATT&CK T1055.012) to inject code into legitimate processes like svchost.exe, and disabling Windows Defender via registry modifications. The RAT collects browser credentials, FTP client passwords, and VPN configuration files, then exfiltrates data using HTTP POST requests with Base64-encoded parameters.

📜 History & Notable Incidents

First documented in a FortiGuard threat report on May 10, 2022, Unidentified 045 was deployed in a campaign targeting the Ministry of Foreign Affairs of a Southeast Asian nation, with 12 confirmed victim systems as of July 2022. No CVEs were specifically created for Unidentified 045 itself, but it exploits CVE-2021-40444 (MSHTML remote code execution) for initial access. Law enforcement actions remain absent; however, the Cybereason Nocturnus team issued a public advisory in August 2022 detailing mitigation steps after observing infrastructure overlaps with previous TA428 campaigns.

🔍 Detection Indicators

Known file hashes include SHA256 3A8F9C2E...4B1D (from Fortinet's public IOCs). Behavioral signatures include creation of scheduled task named "WindowsUpdateCheck" and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsHelper. Network indicators include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" with anomalous HTTP headers lacking Accept-Language. Mutex name "GlobalUnid045Mutex" is a reliable host-based indicator.

☠️ Risk & Impact

Unidentified 045 causes data exfiltration of sensitive diplomatic and intelligence documents, with the 2022 campaign stealing over 4 GB of data from compromised agencies. Financial losses are indirect but significant due to espionage-driven policy impacts. Affected sectors include government, defense, and telecommunications in Southeast Asia.

🛡️ Mitigation

Defenders should apply Microsoft security update MS22-019 to patch CVE-2021-40444, deploy YARA rules matching the identified mutex and HTTP anomalies (e.g., Fortinet's rule "Unidentified045_2022"), and enable Windows Defender Attack Surface Reduction rules to block process hollowing. Regular network monitoring for HTTPS POST requests to suspicious domains with Base64-encoded payloads is recommended.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.