BadFlick Backdoor Is Been Distributed Via Exploited Word Documents

BadFlick is a backdoor that is usually seen being distributed using exploited word documents. It does not have any persistence to survive reboot, but it is capable of opening a reverse shell connection to its C2 server where it can download and execute possibly other malware.

BadFlick makes use of c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9 — a word document — to exploit a known vulnerability in Microsoft Office’s component tool known as Microsoft Equation Editor or EQNEDT32.EXE aka CVE-2017-11882. This will trigger a remote code execution in EQNEDT32.EXE where it will be replaced by its BadFlick backdoor 7ba05abdf8f0323aa30c3d52e22df951eb5b67a2620014336eab7907b0a5cedf using process hollowing injection technique.

BadFlick’s backdoor configuration can be seen hardcoded in its body with the following format<configState>|<C2 ip address>|<port>|<sleep>|. E.g. 1|103[.]243[.]175[.]181|80|5|xxxxxxxxxxxxxxxxxxxxxxx where:

  • 1 = default configuration state of backdoor
  • 103[.]243[.]175[.]181 = C2 server ip address
  • 80 = port used
  • 5 = time to wait (in minutes) between connections

On a successful connection to its C2 server, this backdoor will proceed to extract and send the following information about the infected machine:

  • Computer Name
  • IP Address
  • Windows Version Number and Service Pack
  • Number of CPU core and speed
  • Size of RAM

It will also add the string winMain static green at the end then uses CRC32 to compress the data before sending.

C&C IOC

103[.]243[.]175[.]181
BadFlick C&C IP Address

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: