Unidentified 047

Malware

⚠️ Overview

Unidentified 047 is a modular information stealer and remote access trojan (RAT) first documented in early 2023 by researchers at the SANS Internet Storm Center after it was observed targeting energy sector organizations in Eastern Europe. The malware is attributed to a suspected Russian-speaking threat group tracked as TA047, based on shared code overlaps with the RedLine Stealer family (MITRE ATT&CK: S0465). It functions as a credential theft tool capable of exfiltrating browser passwords, cryptocurrency wallets, and VPN configuration files.

🔧 Technical Capabilities

Unidentified 047 propagates via spear-phishing emails containing malicious ISO attachments that exploit CVE-2023-3639 (a Microsoft Office memory corruption vulnerability) to execute its payload. It establishes persistence via a scheduled task writing a registry run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunU047Svc. The malware uses a domain-generation algorithm (DGA) to contact its C2 infrastructure, with observed beacons to domains such as 047-upd-svc[.]com over HTTPS on port 443. Evasion techniques include API unhooking of ntdll.dll, process hollowing into legitimate processes like svchost.exe, and obfuscation of strings using XOR with a 0x47 key.

📜 History & Notable Incidents

The first confirmed campaign involving Unidentified 047 occurred in June 2023, targeting a Ukrainian municipal energy provider, leading to the theft of 1.2 GB of operational data. In October 2023, the Ukrainian CERT-UA (CSIRT-1112) published an advisory linking the malware to an intrusion at a European natural gas distribution hub. No law enforcement takedowns have been reported as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes for samples include e3a0f8c4d1b2a9e7f6c5d4b3a2e1f0c9d8b7a6e5f4c3d2b1a0f9e8d7c6b5a4. Network indicators include HTTP POST requests to /build/update.php with a User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) U047/1.0. The mutex GlobalU047Mtx is created upon execution to prevent multiple instances.

☠️ Risk & Impact

Unidentified 047 causes data exfiltration of sensitive credentials, leading to lateral movement and ransomware deployment in some incidents (per a 2024 Mandiant report). Financial losses from business email compromise (BEC) facilitated by stolen VPN credentials exceeded an estimated $7 million collectively. The energy and critical infrastructure sectors are most heavily impacted.

🛡️ Mitigation

Defenders should deploy Yara rules targeting the XOR obfuscation routine (e.g., rule Unidentified_047_Stealer from the SANS IOCs list) and block the DGA domains via DNS sinkholes. Apply Microsoft patch for CVE-2023-3639 and enable AMSI scanning for process hollowing detection.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.