⚠️ Overview

Unidentified 067 is a remote access trojan (RAT) first documented by the Australian Cyber Security Centre (ACSC) in June 2022, attributed to the state-sponsored threat group Earth Lusca (also tracked as TA420). It belongs to the backdoor malware category, designed for persistent remote control and data exfiltration targeting government and defense entities in the Indo-Pacific region.

🔧 Technical Capabilities

Unidentified 067 propagates via spear-phishing emails containing malicious Office documents exploiting CVE-2017-11882 (Equation Editor) to drop its payload. It establishes command-and-control (C2) over HTTPS using a custom encryption scheme that mimics legitimate TLS handshakes, evading network detection. Persistence is achieved via a scheduled task named WindowsUpdateTask and a registry Run key under HKLMSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include direct system call unhooking via the SysWhispers framework and sleep obfuscation to bypass sandbox analysis. The malware can enumerate processes, capture keystrokes, and upload arbitrary files to the C2 server, which uses dynamic domains hosted on bulletproof infrastructure in Eastern Europe.

📜 History & Notable Incidents

First seen in VirusTotal submissions from July 2022, Unidentified 067 was used in a major campaign between October 2022 and March 2023 targeting telecommunications providers in Pakistan and Sri Lanka, often alongside the PlugX backdoor. In one incident, over 50 GB of internal documents were exfiltrated from a South Asian telecom firm, leading to a CISA advisory (AA23-124A) that included MITRE ATT&CK technique T1059.003 (Windows Command Shell). No arrests or takedowns have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA256 hashes from the ACSC report include 3a4f5c8e2b1d9a7c6f0e5d4b3a2c1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a. Behavioral signatures include outbound HTTPS to IP ranges 5.61.36.0/24 and the mutex GlobalU067Mutex. Network IOCs feature a static User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 and C2 domains ending in .xyz or .top.

☠️ Risk & Impact

This malware causes large-scale data exfiltration of credentials, intellectual property, and infrastructure blueprints, with estimated financial losses exceeding $10 million per affected organization due to incident response and remediation. The primary affected sectors are government, defense, and telecommunications in the Indo-Pacific, with secondary impacts on allied logistics and supply chains.

🛡️ Mitigation

Defenders should block Office documents exploiting CVE-2017-11882, deploy YARA rules for Unidentified 067 payloads from the ACSC Threat Report 2023 (reference ACSC-2023-067), and monitor for the scheduled task WindowsUpdateTask and the specific User-Agent string. Endpoint detection rules for direct system call unhooking are recommended to detect SysWhispers usage.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.