Backdoor Loader
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
In the previous version, the malware used a simple WMI query to obtain a list of installed products. The new version uses a different WMI, which collects the name of the antivirus and the related “productState”.
Stealth
7 techniques
Stealth
The remote HTA embeds a heavily obfuscated JavaScript file... strings, initially encoded with a substitution algorithm... embedded within its code as a base64-encoded .NET serialized stream.
Additionally, they change the names and paths of their malicious files... During the most recent campaign, the attackers tried to diversify the samples, generating many other variants distributed under the following names: JetCfg . dll policymanager . dll winmm . dll xmllite . dll dcntel . dll UxTheme . dll
the embedded JavaScript runs the Windows utility mshta . exe and obtains additional code from a remote server
The newer version of the shellcode still uses certain tricks to avoid sandboxes... It uses the GlobalMemoryStatusEx function to determine the size of RAM. It attempts to load the nlssorting . dll library and terminates execution if operation succeeds.
It uses the GlobalMemoryStatusEx function to determine the size of RAM... The first stage... checks the installed RAM and terminates if the total size is less than 950 MB.
Discovery
3 techniques
Discovery
the malware compares all running process names against an embedded dictionary. The dictionary contains 137 unique process names associated with popular security solutions.
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.