BADFLICK

Badflick is a malware that belongs to the family of backdoors and is commonly used by APT40, a Chinese threat group. This malware can modify the file system, generate a reverse shell, and change its command-and-control configuration. Badflick is usually deployed through custom credential theft utilities like HOMEFRY, a password dumper/cracker, which has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. APT40 has also been known to use other malware such as PHOTO and CHINA CHOPPER. PHOTO, also known as Derusbi, is a commercially available backdoor that has been observed being used by APT40. Additionally, APT40 leverages tools such as MURKYTOP, a command-line reconnaissance tool, to gather information about compromised systems. Historical indicators show that APT40 has been using these tools and techniques for several years. For example, green.ddd, a file hash associated with AIRBREAK, has been observed in previous attacks by APT40. The use of sophisticated malware like Badflick and custom-built tools highlights the advanced capabilities of APT40 and underscores the importance of strong cybersecurity measures.