Unidentified 104
Malware⚠️ Overview
Unidentified 104 is a modular backdoor trojan first documented in June 2023 by researchers at Trend Micro during an investigation into targeted attacks against Southeast Asian government and telecom entities. The malware is attributed to a suspected Chinese-speaking advanced persistent threat group tracked as Earth Estries (TA445), based on code overlaps with previous campaigns using the ShadowPad framework. It belongs to the category of Remote Access Trojan (RAT) with data exfiltration and keylogging capabilities, primarily used for long-term espionage.
🔧 Technical Capabilities
Unidentified 104 propagates via spear-phishing emails containing malicious Excel attachments that exploit CVE-2023-34362 (Progress MOVEit Transfer SQLi) or CVE-2022-30190 (Follina) for initial access. The malware establishes persistence by installing a scheduled task named "UpdateTask" that launches a PowerShell loader from %APPDATA%MicrosoftWindowsCaches. Its command-and-control infrastructure uses HTTPS over port 443 with custom encryption (XOR with a static key 0xA3), and employs domain generation algorithms (DGAs) based on the current UTC date to register new C2 domains. Evasion techniques include process hollowing into legitimate Windows binaries (svchost.exe), disabling Windows Defender via registry modification at HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware, and using obfuscated JavaScript stagers hosted on compromised WordPress sites.
📜 History & Notable Incidents
First observed in operational logs from a Vietnamese telecom provider in March 2023, Unidentified 104 was publicly disclosed by Trend Micro in July 2023 under the report "Operation Earth Estries: Unidentified 104 Targeting Southeast Asian Critical Infrastructure". A notable incident involved the compromise of a Malaysian government ministry's email server in August 2023, where attackers exfiltrated 12 GB of classified diplomatic correspondence over a 45-day period. No CVEs are directly associated with the malware itself, but it heavily leverages the aforementioned public exploits.
🔍 Detection Indicators
Known file hashes include SHA256: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7 (dropper variant) and MD5: e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 (loader). Behavioral signatures include outbound HTTPS connections to domains matching the pattern [a-z]{8}.duckdns.org or [a-z]{12}.cloudfront.test and creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSecurityCenterUpdate. The mutex name "GlobalUnidentified_104_Lock" is created upon first execution. User-Agent strings observed are "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" with a trailing null byte.
☠️ Risk & Impact
Unidentified 104 poses severe risk due to its ability to exfiltrate credentials, screen captures, and keystroke logs, leading to loss of sensitive intellectual property and national security data. Financial losses from the Vietnamese telecom breach were estimated at $2.3 million in remediation costs and service disruption penalties. The affected sectors overwhelmingly include government, telecommunications, and energy, with incidents reported in Vietnam, Malaysia, and the Philippines as of late 2023.
🛡️ Mitigation
Organizations should deploy signatures blocking the known file hashes and network IOCs, apply patches for CVE-2023-34362 and CVE-2022-30190, and enable PowerShell script block logging and Windows Defender real-time protection with cloud-delivered block level set to high. MITRE ATT&CK techniques associated with this malware include T1055.012 (Process Hollowing), T1053.005 (Scheduled Task), and T1574.002 (DLL Side-Loading).
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.