BadFlick Backdoor Is Been Distributed Via Exploited Word Documents
BadFlick is a backdoor that is usually seen being distributed using exploited word documents. It does not have any persistence to survive reboot, but it is capable of opening a reverse shell connection to its C2 server where it can download and execute possibly other malware.
BadFlick makes use of c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9
— a word document — to exploit a known vulnerability in Microsoft
Office’s component tool known as Microsoft Equation Editor or EQNEDT32.EXE
aka CVE-2017-11882
. This will trigger a remote code execution in EQNEDT32.EXE
where it will be replaced by its BadFlick backdoor 7ba05abdf8f0323aa30c3d52e22df951eb5b67a2620014336eab7907b0a5cedf using process hollowing
injection technique.
BadFlick’s backdoor configuration can be seen hardcoded in its body with the following format<configState>|<C2 ip address>|<port>|<sleep>|
. E.g. 1|103[.]243[.]175[.]181|80|5|xxxxxxxxxxxxxxxxxxxxxxx
where:
- 1 = default configuration state of backdoor
- 103[.]243[.]175[.]181 = C2 server ip address
- 80 = port used
- 5 = time to wait (in minutes) between connections
On a successful connection to its C2 server, this backdoor will proceed to extract and send the following information about the infected machine:
- Computer Name
- IP Address
- Windows Version Number and Service Pack
- Number of CPU core and speed
- Size of RAM
It will also add the string winMain static green
at the end then uses CRC32 to compress the data before sending.
C&C IOC
103[.]243[.]175[.]181


Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.