BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]

ID: S0475
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 17 June 2020
Last Modified: 29 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BackConfig has the ability to use HTTPS for C2 communiations.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BackConfig can download and run batch files to execute commands on a compromised host.[1]

.005 Command and Scripting Interpreter: Visual Basic

BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

BackConfig has used a custom routine to decrypt strings.[1]

Enterprise T1083 File and Directory Discovery

BackConfig has the ability to identify folders and files related to previous infections.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

BackConfig has the ability to remove files and folders related to previous infections.[1]

Enterprise T1105 Ingress Tool Transfer

BackConfig can download and execute additional payloads on a compromised host.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[1]

Enterprise T1106 Native API

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.[1]

Enterprise T1027 Obfuscated Files or Information

BackConfig has used compressed and decimal encoded VBS scripts.[1]

Enterprise T1137 .001 Office Application Startup: Office Template Macros

BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[1]

Enterprise T1082 System Information Discovery

BackConfig has the ability to gather the victim's computer name.[1]

Enterprise T1204 .001 User Execution: Malicious Link

BackConfig has compromised victims via links to URLs hosting malicious content.[1]

Groups That Use This Software

ID Name References
G0040 Patchwork

[1]

References