BackConfig

The BackConfig malware is a hacking tool, which is deployed against high-value targets in the South East Asian region mainly. This threat is very complex – it is likely that its authors spent a fair bit of time building and perfecting it. The BackConfig malware has advanced anti-debugging features, as well as an elaborate modular structure. According to researchers, the BackConfig threat was developed by the Patchwork APT (Advanced Persistent Threat). This is a hacking group, which is believed to originate from India and is also known as MONSOON, Dropping Elephants, Neon, Chinastrats, Viceroy Tiger and Operation Hangover. Most of the attacks carried out by the Patchwork APT target high-profile organizations and individuals that the Indian government takes an interest in.

In one of the most recent attacks that included the BackConfig malware, the infection vector utilized was corrupted Microsoft Excel files. The files in question were hosted on reputable Web pages that got breached by the Patchwork APT. Users are far more likely to remain oblivious to the attack since the corrupted files carrying the payload of the BackConfig threat were hosted on genuine websites. Once the users open the weaponized Microsoft Excel files, the BackConfig would be deployed on their systems. However, before the BackConfig malware plants itself on the targeted host’s system, it will check for the presence of malware debugging software and certain settings, which may indicate that it is running on a sandbox environment. This helps the BackConfig malware avoid running on a system used for malware debugging, which makes it far more difficult for cybersecurity experts to dissect and study the threat.

If the BackConfig threat determines that it is running on a regular system and not a sandbox environment, it will proceed with the attack as intended. The BackConfig malware is able to execute remote commands provided from the attackers’ C&C (Command & Control) server. The BackConfig threat also is capable of altering the settings of the compromised system.

The Patchwork APT has been working hard on the BackConfig malware and has introduced the previously mentioned advanced anti-malware debugging techniques only recently. This serves to show us that the Patchwork hacking group does not intend to abandon this project any time soon, and we will likely continue to detect more victims of the BackConfig malware. Do not neglect the safety of your system and make sure to protect it with the help of a trustworthy cybersecurity utility.