MarsSnake Backdoor
Infosec experts have recently revealed the tactics of a China-aligned hacking group known as UnsolicitedBooker. This threat actor targeted an unnamed international organization in Saudi Arabia using a previously unknown backdoor called MarsSnake. Their activity spans multiple years, showing a sustained interest in this particular target.
Table of Contents
Spear-Phishing with a Twist: Flight Tickets as Bait
The group's infiltration method relies heavily on spear-phishing emails. These emails often include flight tickets as decoys to lure victims into opening threatening attachments. Targets are primarily governmental organizations across Asia, Africa and the Middle East. The attackers' use of flight-related lures makes their phishing attempts particularly convincing and tailored.
Known Malware Arsenal and Overlapping Identities
UnsolicitedBooker's attacks are marked by the deployment of several well-known backdoors, including:
- Chinoxy
- DeedRAT
- Poison Ivy
- BeRAT
These malware tools are commonly linked to Chinese cyber-espionage groups. Moreover, UnsolicitedBooker shares characteristics with another cluster named Space Pirates and an unidentified group that used a backdoor called Zardoor against an Islamic non-profit in Saudi Arabia.
Latest Campaign Breakdown: The MarsSnake Backdoor Deployment
The most recent campaign, dated January 2025, targeted the same Saudi Arabian organization. The attack involved a phishing email impersonating Saudia Airlines with a flight booking attachment. Key details include:
- The attachment: A Microsoft Word document disguised as a flight ticket
- Origin of the decoy ticket: Modified from a publicly available PDF on the Academia research-sharing website
- Infection process: Opening the Word document triggers a VBA macro that writes an executable file (smssdrvhost.exe) to the victim's system
- Function of the executable: Acts as a loader for MarsSnake, the newly discovered backdoor
- Communication: MarsSnake connects to a remote server (contact.decenttoy.top) to receive commands
Repeated intrusion attempts in 2023, 2024, and 2025 highlight UnsolicitedBooker's focused campaign against this organization.
MarsSnake: A Powerful Tool in UnsolicitedBooker’s Arsenal
MarsSnake is a fully featured backdoor that gives attackers significant control over infected machines. It enables the execution of arbitrary commands and unrestricted file read/write access. The backdoor maintains contact with a command-and-control (C&C) server to receive instructions. So far, MarsSnake appears to be exclusively used by UnsolicitedBooker, marking it as a signature tool of this threat actor.
