BackConfig

BackConfig is a backdoor Trojan providing modularly-defined features for further controlling and monitoring the user's PC. BackConfig may use distribution methods that include sophisticated e-mail phishing attacks with links to downloads as a tool related to espionage campaigns active in Asia. Users should protect their computers through proper anti-malware tools for deleting BackConfig, supplemented by common-sense precautions like deactivating document macros.

The Increasingly Adaptable Configuration of Trojan Monitoring

Samples of Trojans and analyses of their associated attacks and infrastructure throughout Asia show that many threat actors are maintaining an interest in compromising not just business entities, but the networks of civilian governments and even militaries, as well. BackConfig is one such threat that serves as both a central staging ground for more attacks while giving researchers a clear window into the potential flexibility of any individual backdoor Trojan. Besides having very adaptable payloads, BackConfig also enjoys significant obfuscation due to the efforts of its admins – the Hangover threat actor.

Hangover, also known by names such as MONSOON and Neon, displays a consistent interest in compromising targets in the Southeast Asian region and goes to considerable effort for achieving success. The group often uses components mimicking the names of default software associated with Windows or networking services, hides their corrupted files with signed digital certificates, and customizes the infection vectors with content that's of interest to the target. Malware experts also confirm that the group is delivering BackConfig through links pointing towards legitimate but compromised websites, instead of the more usual course of attachments to e-mails.

Users opening these files and enabling the macros will initialize a protracted and intricate infection routine that, often, delays dropping BackConfig for twenty minutes – as one of many anti-detection measures. Once it's active, BackConfig runs most of its attacks via optional plugins or modules that Hangover runs as is appropriate. Some examples of typical attacks from BackConfig include:

• Passing off system environmental data (the Windows OS version, etc.) to the attackers.
• Collecting user information by logging keystrokes and similar methods
• Executing general system commands via batch files

Getting Back to Basics on Anti-Trojan Habits

The means of infection for BackConfig implies many things about Hangover's standard operational procedures for their campaigns. Like the Naikon APT that also operates in the same area, the inclusion of 'normal' websites into the Web infrastructure makes it crucial that administrators identify and react to breaches as quickly as possible, particularly. All users also should be aware of the possibility of unsafe content's hosting on a normally-safe site, up to, and including, government domains that are relevant to their workplace environment immediately.

Other elements of BackConfig's campaigns are more-usual for a backdoor Trojan of its agenda. It threatens Windows systems and requires the enabling of a harmful macro in an Excel spreadsheet for its installation routine. By default, macros should be inactive, and users also may notice visible pop-up errors during the infection attempt – one of Hangover's telltale 'tics.'

Trustworthy anti-malware services will detect documents with embedded, unsafe content, or remove BackConfig from infected systems safely. Installing database definition updates, if available, will assist these products with identifying newly-upgraded threats, and is critical for countering obfuscation-heavy Trojans like BackConfig.

Through BackConfig, a threat actor may launch any other attack, virtually, thanks to the general-purpose nature of the program's batch script support. It's somewhat counterintuitive that such a problem could come from downloading a file from a trusted website, but shows that workers can't afford to take anything for granted when it comes to e-mail security.