Threat Report: What is the BackConfig Malware and How Does it Work?

BackConfig is a custom Trojan that has been used by Patchwork. BackConfig affects the Windows operating system and has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros. BackConfig has used VBS scripts, as well as URLs hosting malicious content, to compromised victims. BackConfig has the ability to use HTTPS for C2 communications and to download and execute additional payloads on a compromised host.

BackConfig Malware Capabilities

BackConfig malware may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.

BackConfig is also capable of deleting files left behind by the actions of their intrusion activity. BackConfig may abuse the Windows command shell for execution.BackConfig may use various techniques to evade detection and execution, including code signing, hiding files and directories, and obfuscating information. They may also rely on users clicking on malicious links to gain execution. Once execution is gained, BackConfig may abuse Visual Basic and the Windows Task Scheduler to perform tasks or schedule recurring execution of malicious code.

• The BackConfig malware may use Microsoft Office templates to obtain persistence on a compromised system. Additionally, BackConfig may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
• BackConfig may interact with the native OS application programming interface to execute behaviors. This allows for low-level OS services within the kernel to be called, such as those involving hardware/devices, memory, and processes. 
• The adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. BackConfig may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Ways to Mitigate BackConfig Malware Attacks Capabilities

The article discusses how BackConfig malware attacks can be mitigated. One way to do this is by detecting file obfuscation, which can be difficult unless there are unique artifacts left behind by the obfuscation process. Another way to detect BackConfig malware is by investigating changes to Registry keys or Office macro security settings.

• BackConfig malware attacks can be mitigated by monitoring API calls, analyzing network data for uncommon data flows, and monitoring for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious.
• The BackConfig malware attacks can be mitigated by system and network discovery techniques, monitoring for command-line deletion functions, and capturing scripts from the file system.
• BackConfig can be mitigated by collecting and analyzing signing certificate metadata, file hashes, and file names. Additionally, the file system and shell commands should be monitored for unusual activity.
• BackConfig malware can be mitigated by detecting deobfuscating or decoding files or information, inspecting network traffic for indications of a malicious site, and monitoring for events associated with VB execution.