Beendoor

Beendoor is a backdoor Trojan that includes some of the data-collecting features of spyware. Infections have a high correlation with attacks against Indian diplomatic and military employees, with threat actors serving Beendoor instead of a more traditional Remote Access Trojan (or RAT). Since the Trojan is a high-level threat, your response to infection should be prompt and include disabling all network connections and uninstalling Beendoor through traditional anti-malware products before re-securing the hardware and all confidential information.

The Second of Two Equally-Bad Doors Swings Open

While cyber-security company Proofpoint's elaboration on the MSIL/Crimson family of RAT components leads to unpleasant conclusions about the possibilities of compromises in Indian government networks, Crimson doesn't work alone. In a less than standard practice, threat actors are replacing the RAT with another Trojan: Beendoor. Various attacks deploying Beendoor or its counterpart have been in confirmation between 2016 and 2018, although more are likely of coming.

Beendoor belongs to part of a campaign referred to as Operation Transparent Tribe, which breaches the security of Indian diplomatic and military institutions. Some means of infection include e-mail-attached documents running CVE-2012-0158 vulnerabilities (see also: the Breach RAT, Backdoor.Baccamun or TSPY_GEDDEL.EVL) and corrupted domains pretending that they're military-themed blogs. Most exploits trick victims into clicking a corrupted link or enabling exploitable content inside of a file for running the Trojan dropper, which may install either Beendoor or its more well-analyzed counterpart, MSIL/Crimson.

Beendoor uses Extensible Messaging and Presence Protocol, or XMPP, for both sending and receiving C&C information. This choice necessitates the use of an additional library component that the same Trojan dropper installs with it. While malware researchers haven't examined its complete payload, it seems like that Beendoor is purposed for confidential info exfiltration – since it includes a screen-grabbing feature that uploads images of the user's screen to the threat actor's server. Beendoor may be a more specialized tool than the Crimson RAT that its attackers use for when targets don't warrant an even more invasive approach.

Been There, Done that Trojan Safely

The motives for Beendoor's threat actors exchanging their payloads in this fashion remain opaque but change little to nothing about how potential victims can defend themselves against future outcroppings from the Transparent Tribe campaign. Updating document reader software will lower the number of vulnerabilities that threat actors can abuse, and users should be careful about what files they enable macros on, which are highly exploitable especially. Microsoft's Word disables macros, by default, in all modern versions.

Web-browsing security is critical to preventing attacks from known Beendoor tactics similarly. Users never should download files from HXXP addresses, which use URL-tagging obfuscation for tricking different threat-detecting rulesets. Military and government employees should understand that many cyber attacks targeting them will use topical lures, such as articles about pay raises or other news that's specific to their industry or even to them as individuals. Anti-malware products should remove Beendoor as a threat, just like the Crimson RAT and the flexible dropper components.

The kinds of doors that Beendoor opens are ones leading to the evolution of war where software is another weapon and every hard drive is a trench. Unlike 'normal' war, however, malware experts continue finding common-sense precautions and services as more than sufficient deterrents for any hostilities.