ATT&CK v16 has been released! Check out the blog post for more information.

BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.^[1]

ID: S0475

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 17 June 2020

Last Modified: 22 March 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	BackConfig has the ability to use HTTPS for C2 communiations.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	BackConfig can download and run batch files to execute commands on a compromised host.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	BackConfig has used a custom routine to decrypt strings.^[1]
Enterprise	T1083		File and Directory Discovery	BackConfig has the ability to identify folders and files related to previous infections.^[1]
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	BackConfig has the ability to remove files and folders related to previous infections.^[1]
Enterprise	T1105		Ingress Tool Transfer	BackConfig can download and execute additional payloads on a compromised host.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	BackConfig has hidden malicious payloads in `%USERPROFILE%\Adobe\Driver\dwg\` and mimicked the legitimate DHCP service binary.^[1]
Enterprise	T1106		Native API	BackConfig can leverage API functions such as `ShellExecuteA` and `HttpOpenRequestA` in the process of downloading and executing files.^[1]
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	BackConfig has used compressed and decimal encoded VBS scripts.^[1]
Enterprise	T1137	.001	Office Application Startup: Office Template Macros	BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.^[1]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.^[1]
Enterprise	T1082		System Information Discovery	BackConfig has the ability to gather the victim's computer name.^[1]
Enterprise	T1204	.001	User Execution: Malicious Link	BackConfig has compromised victims via links to URLs hosting malicious content.^[1]

Groups That Use This Software

ID	Name	References
G0040	Patchwork	^[1]

References

Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.