Home Malware Programs Trojans BACKBEND

BACKBEND

Posted: April 18, 2019

BACKBEND is a Trojan downloader that infects systems for retrieving and installing other threats with more specific features. Typically, attackers use this Trojan for creating backdoor vulnerabilities or collecting information. Its campaigns tend towards targeting Asian regions and compromising removable devices, although conventional anti-malware tools should have no obstacles with finding and removing BACKBEND infections.

Trojans Bending Backwards to Get What They Want

The group of threat actors under the informal name of APT30 (APT being an abbreviation of 'Advanced, Persistent Threat') are gaining significant notoriety for their frequency of well-maintained attacks and capabilities for compromising normally-impervious hardware. However, many of their tools require adherence to the pre-established norms of the black hat programming industry, such as relying on corrupted downloaders. BACKBEND is one of the various threats that they employ for this purpose, along with CREAMSICLE and GEMCUTTER.

Currently, its attacks follow a Standard Operating procedure, as follows:

  • The target exposes either their work or home systems with Internet access to an e-mail phishing lure, which APT30 crafts with contents themed appropriately to the business or government worker recipient. This lure contains a Trojan dropper, such as ORANGEADE or MILKMAID.
  • The Trojan dropper 'drops' BACKBEND or another Trojan downloader, which, by using this installation method, may avoid any detection.
  • BACKBEND downloads and installs the more-specific threats, such as the FLASHFLOOD spyware, backdoor Trojans like NETEAGLE, etc.
  • Besides compromising the security of the initially-infected system, this last payload may include SHIPSHAPE and other worms. These threats create copies of themselves and spread into removable devices for infecting any other computer that shares them, including 'air-gapped' networks.

Although BACKBEND could download and install nearly any threatening software, malware experts connect APT30's uses of it with attacks for collecting passwords and other confidential data or creating backdoors that give them unrestricted UI access and surveillance opportunities.

Don't Let Your Security Get Bent Out of Shape

BACKBEND's threat actors offer stark differences from the more casual approaches of 'script kiddies' or pre-fabricated campaigns like the Ransomware-as-a-Service sector. APT30's activities extend to a decade's worth of mostly-undisturbed surveillance against Windows environments for media companies, national militaries, and economic-related targets, among others. Malware researchers also confirm the high pace of updates, which means that different versions of BACKBEND could include features not disclosed here, and may vary significantly from one another – for instance, by including or excluding modules.

Users can protect themselves by staying informed on the popular templates for phishing attacks, such as e-mail-attached documents pretending that they're financial statements. If possible, avoiding sharing your removable devices will further limit any lateral movement that would give an attacker access to other systems. Infected systems should be disconnected from all other systems and removable drives, along with the Internet, and have thorough anti-malware scans for uninstalling BACKBEND and related threats.

BACKBEND is a particular danger to Asian government and sensitive business networks throughout countries such as India, Japan and Thailand. However, the lessons its victims teach the rest of the world – like being careful about what devices you're sharing or files you're opening – are appropriate for anyone who's using the Internet.

Loading...