Skip to content
- Can infect air gapped networks using USBs
- First attacks observed in 2005
- Used the same few tools to target many organizations across Southeast Asia
Systematic Malware Development
- Each backdoor has a version number. If less than reference number, then automatically update malware.
- Malware authors work in shifts and in teams
- Malware is modular and has been modified over time to create variants.
- 2 main branches of BACKSPACE backdoor, each with a different set of commands.
Two Stage C2
- Backdoors are hardcoded with initial set of C2 domains
- By default, infected endpoints cannot be accessed interactively
- Only endpoints asked to connect to second stage C2 can connect to second stage C2
- Infected endpoints who connect to second stage C2 can be accessed interactively
- This setup helps obfuscate the threat actor's important C2 beacons