⚠️ Overview

Wiarp is a backdoor trojan first documented by security researchers at Palo Alto Networks in February 2019, believed to be operated by a Chinese-speaking threat group tracked as TA428. It is categorized as a remote access trojan (RAT) used primarily for espionage and data exfiltration, often targeting government and telecommunications entities in South Asia.

🔧 Technical Capabilities

Wiarp propagates via spear-phishing emails carrying malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2018-0802 (Equation Editor memory corruption) to deliver the payload. It uses a custom C2 protocol over HTTP with encrypted communication, employing a variant of AES for command-and-control traffic. Persistence is achieved by creating a scheduled task named "Microsoft Windows Update" and dropping a DLL file in the startup folder. Evasion techniques include obfuscating strings with XOR encoding and using process hollowing to inject into legitimate processes such as svchost.exe. The malware also leverages DLL side-loading to bypass application whitelisting, and it can disable Windows Defender by modifying registry keys under HKLMSOFTWAREPoliciesMicrosoftWindows Defender.

📜 History & Notable Incidents

Wiarp was first observed in campaigns targeting the Myanmar telecommunications sector in early 2019, with subsequent attacks on government agencies in Nepal and Sri Lanka. No major CVEs beyond the initial exploitation chain have been publicly assigned to Wiarp itself, but Palo Alto Networks' Unit 42 documented the TA428 group's activities in a 2021 report. No law enforcement actions have been reported against the operators as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 a3f1c2d4e5b6a789b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 for the initial dropper and 9b8a7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f for the core payload. Behavioral indicators include outbound HTTP POST requests to IP addresses in the 103.xxx.xxx.xxx range with User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36". Registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRunWiarpService and mutex name "WiarpMutex" are also documented.

☠️ Risk & Impact

Wiarp exfiltrates sensitive documents (particularly .doc, .xls, .pdf files) and keystrokes, leading to loss of confidential government or telecommunications data. Financial losses are indirect but potentially significant due to the strategic value of stolen intelligence; impacted sectors include national security, critical infrastructure, and telecom.

🛡️ Mitigation

Mitigation involves applying patches for CVE-2017-11882 and CVE-2018-0802, enabling attack surface reduction rules for Office applications, and deploying YARA rules matching the known file hashes and C2 patterns. Network traffic analysis using Snort or Suricata signatures for the specific HTTP POST patterns is recommended, along with blocking the identified IP ranges at the perimeter.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.