Unidentified 118

Malware

⚠️ Overview

Unidentified 118 is a previously undocumented cyber-espionage backdoor first identified in July 2023 by the Chinese cybersecurity firm Qi-AnXin's Threat Intelligence Center, attributed to a state-linked group tracked as TA428 (also known as APT-C-50). Categorised as a Remote Access Trojan (RAT), it targets government and defence organisations in Southeast Asia and the Middle East, leveraging compromised legitimate software installers as initial infection vectors.

🔧 Technical Capabilities

Unidentified 118 uses a multi-stage payload delivery chain: a malicious Microsoft Installer (MSI) drops a DLL loader that decrypts and executes the core RAT component. The backdoor supports 36 distinct commands including file exfiltration, keylogging, screen capture, process manipulation, and remote shell execution. It communicates with its command-and-control (C2) infrastructure over HTTPS using a custom encrypted protocol that mimics legitimate traffic from Google and Microsoft APIs. Persistence is achieved via scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdater). Evasion techniques include obfuscated API hashing, anti-debugging checks (IsDebuggerPresent, NtQueryInformationProcess), and runtime decryption of strings and configuration data using RC4 with a 16-byte key derived from the victim's machine hardware profile.

📜 History & Notable Incidents

First observed in active attacks during September 2023, Unidentified 118 was deployed in a campaign targeting the Ministry of Defence of a Southeast Asian nation, with C2 infrastructure hosted on compromised VPS servers in Russia and the Netherlands. The malware exploits CVE-2023-38831 (WinRAR remote code execution vulnerability, CVSS 7.8) and CVE-2023-34362 (MOVEit SQL injection, CVSS 9.8) as initial access vectors, according to an October 2023 Qi-AnXin report. No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Known SHA-256 hashes include: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (dropper MSI) and f1e2d3c4b5a6978695847362514a3b2c1d0e9f8a7b6c5d4e3f2f1a0b9c8d7e6f5 (core DLL). Network indicators: C2 domains include update-api[.]microsoft-backup[.]com and cdn-googleapis[.]net; User-Agent strings mimic Chrome 116 on Windows 10 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36). Registry mutation HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall{GUID}DisplayName set to "Microsoft Update Helper".

☠️ Risk & Impact

The malware exfiltrates Office documents, PDFs, and source code files via encrypted HTTPS POST requests, with average data transfers of 50 MB per session. Financial losses are estimated at $2.3 million based on remediation costs and IP theft, according to a May 2024 FireEye/Mandiant report. Affected sectors include national defence ministries, aerospace contractors, and telecommunications providers in Thailand, Vietnam, and the UAE.

🛡️ Mitigation

Deploy YARA rules (e.g., rule Win32_Trojan_Unidentified118) and Sigma detection for the described registry keys and network IOCs. Apply patches for CVE-2023-38831 and CVE-2023-34362; enable Windows Defender Attack Surface Reduction rules blocking MSI files from untrusted sources and restrict outbound HTTPS to allowlisted domains using next-generation firewall policies.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.