Software
ID S0128
Type Malware

BADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.1

## Techniques Used

• Web Service - BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.1
• Data Obfuscation - After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.1
• Process Hollowing - BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.1
• Screen Capture - BADNEWS has a command to take a screenshot and send it to the C2 server.1
• Input Capture - When it first starts, BADNEWS spawns a new thread to log keystrokes.1
• Data from Local System - When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
• Data from Network Shared Drive - When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
• Data Staged - BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder.1
• Peripheral Device Discovery - BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.1

## Groups

The following groups use this software: