1. Home
  2. Software
  3. BackConfig

BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]

ID: S0475
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 June 2020
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[1]
Enterprise T1137 .001 办公应用启动: Office Template Macros

BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.[1]
Enterprise T1140 反混淆/解码文件或信息

BackConfig has used a custom routine to decrypt strings.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

BackConfig can download and run batch files to execute commands on a compromised host.[1]
.005 命令与脚本解释器: Visual Basic

BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

BackConfig has the ability to use HTTPS for C2 communiations.[1]
Enterprise T1083 文件和目录发现

BackConfig has the ability to identify folders and files related to previous infections.[1]

Enterprise T1106 本机API

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

BackConfig has used compressed and decimal encoded VBS scripts.[1]
Enterprise T1204 .001 用户执行: Malicious Link

BackConfig has compromised victims via links to URLs hosting malicious content.[1]
Enterprise T1070 .004 移除指标: File Deletion

BackConfig has the ability to remove files and folders related to previous infections.[1]
Enterprise T1082 系统信息发现

BackConfig has the ability to gather the victim's computer name.[1]
Enterprise T1105 输入工具传输

BackConfig can download and execute additional payloads on a compromised host.[1]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[1]

Groups That Use This Software

ID Name References
G0040 Patchwork

[1]

References

  1. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.