DeedRAT Backdoor: Chinese APT Targets Southeast Asian Governments via Vulnerable AV Software

In a newly uncovered campaign, LAB52 — the intelligence team at S2 Group — has identified a sophisticated phishing operation delivering DeedRAT, a modular backdoor associated with Chinese-speaking threat actors. The campaign showcases notable advancements in stealth, persistence, and payload delivery mechanisms.

“The campaign leverages the legitimate signed binary MambaSafeModeUI.exe, part of the VIPRE Antivirus Premium software, which is vulnerable to DLL side-loading,” the report explains. “Although this threat group has previously exploited legitimate antivirus binaries to deliver the backdoor, this marks the first time MambaSafeModeUI.exe has been observed in such activity.”

The initial attack vector is a ZIP archive containing:

• A legitimate binary (MicRun.exe) vulnerable to DLL side-loading
• A malicious DLL (SBAMBRES.DLL)
• An encrypted payload (SBAMBRES.DLL.CC)

When executed, MicRun.exe loads the DLL, which then decrypts and runs the shellcode directly in memory using the GetModuleHandleW function.

“The sample will copy the contents of the compressed file to the folder C:\ProgramData\MicroDefaults,” noted LAB52, emphasizing the use of standard system paths to avoid suspicion.

To maintain persistence, the malware registers itself under a Windows service named MicRun, and creates a Run registry key at:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicRun

It subsequently spawns a new process under svchost.exe, ensuring that execution appears legitimate while evading casual observation.

“The mutex BaseNamedObjects\asdRFtDaDpobhkmfgUIYGBDURE will be created to prevent two instances of the malware from running simultaneously,” the report highlights.

Communication with the command-and-control server occurs over TCP ports 80 and 443, specifically to luckybear669.kozow[.]com.

DeedRAT’s modular design allows for flexible functionality and future updates. LAB52 confirms the existence of a newly integrated plugin called NetAgent.

“The plugin is responsible for handling the various requests to the server, as well as handling multiple connections by creating threads.”

This design suggests active development and an infrastructure capable of scaling with the attacker’s operational needs.

The malware employs multiple layers of obfuscation, including:

• API hashing
• Junk functions meant to confuse analysts
• A custom encryption algorithm based on a Linear Congruential Generator (LCG)

“While in previous versions the payload was protected by RC4, in this new variant the malicious payload is encrypted using a custom algorithm… initialized with seed 0xA893,” explained the analysts.

Sensitive strings like C2 addresses and persistence paths are hidden in the program heap, while each plugin manages its own encrypted memory region — an uncommon technique that increases stealth.

An interesting addition is the use of pseudo-randomly generated identifiers during persistence setup. These match the regular expression: -[A-Z]{0,7}_[A-Z]{0,7}_[A-Z]{0,8}.

While no specific function for this argument has been discovered, it is believed to act as a machine fingerprint and persistence mode identifier, potentially aiding the malware in session management or version control.

Related Posts:

• Unveiling RansomHub Ransomware: New Infection Chains and Rising Threats
• Microsoft removes the AV compatibility check for the March 2018 Windows security updates
• Fake AV software steals device storage information and is actually two variants of Android RAT
• China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector