BackConfig

BackConfig is a custom trojan malware utilized by the Hangover threat group (also known as Neon, Viceroy Tiger, MONSOON) to target government and military organizations in South Asia. Its design features a flexible plug-in architecture that allows it to gather system information, keylog data, and even upload and execute additional payloads. The malware's delivery method often involves spear-phishing emails containing seemingly legitimate letters or government forms. These emails lure victims into browsing compromised websites that serve weaponized Excel documents, which install the BackConfig Trojan. The malware's execution flow is carefully coordinated, with the task scheduler executing the VBS downloader component and launching the BackConfig loader EXE only after 20 minutes, potentially evading analysis systems. The BackConfig malware cleverly uses benign operations, paths, and filenames in URL paths and file names for its delivery, making it harder to detect. Notably, Unit 42 has conducted binary diffing on many of the BackConfig executable files and found no overlaps with non-library functions, suggesting that the payloads are not based on existing frameworks such as YTY or EHDev. Additionally, the malware has evolved over time, employing various methods for command execution and payload deployment, both with and without obfuscation. Through thorough infrastructure analysis and metadata investigation, Unit 42 has managed to discover additional BackConfig PE executable samples. For instance, one BackConfig PE sample was found using the C2 domain matissues[.]com and was dropped by a weaponized Rich Text Format (RTF) file. However, there seems to be no evidence of weaponized documents being used to deliver BackConfig attached to phishing emails; instead, the Hangover group appears to prefer phishing URL links in emails as their primary mode of operation.