Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

CBROVER (Backdoor) – Malware

January 15, 2025
Reading Time: 6 mins read
in Malware

CBROVER

Type of Malware

Backdoor

Country of Origin

China

Targeted Countries

United States
Philippines
Mongolia
Myanmar
Pakistan
Bangladesh
India
Japan
South Korea
Vietnam

Date of Initial Activity

2022

Associated Groups

Mustang Panda

Motivation

Cyberwarfare
Espionage

Attack Vectors

Phishing
Physical Access

Targeted Systems

Windows

Overview

CBROVER is a sophisticated malware variant that has been observed as part of a multi-stage infection chain used by advanced persistent threat (APT) actors, particularly in high-stakes cyberattacks targeting government entities and organizations across the Asia-Pacific region. It operates as a versatile tool for espionage, data exfiltration, and persistence, contributing to larger malicious campaigns like those executed by the Earth Preta threat group. In this article, we delve into the core functionalities of CBROVER, its infection mechanisms, and the impact it has on compromised systems. CBROVER is designed to be deployed through spear-phishing attacks, a tactic frequently used by cybercriminals to gain initial access to a network. In these campaigns, CBROVER typically arrives as a secondary payload after the initial downloader, such as PULLBAIT, is executed. The malware can be introduced through malicious attachments, like URL files that lead to the downloading of the payload. Once inside the target system, CBROVER establishes a foothold and facilitates further infection stages, often loading additional malicious tools such as PLUGX, which serve to maintain persistence and further compromise the system.

Targets

Information, Credentials

How they operate

The attack cycle of CBROVER begins with initial access, primarily through spear-phishing campaigns. The malware is commonly embedded in attachments such as malicious macros or links in documents. When users interact with the attachments, the malware is executed, often via a command and scripting interpreter (T1059). In some cases, CBROVER leverages exploitation for initial access (T1203), taking advantage of vulnerabilities in the victim’s software or operating system to bypass security measures and gain unauthorized access. Once executed, CBROVER typically downloads additional components from a command-and-control (C2) server, expanding its functionality and preparing for further exploitation. Following successful execution, CBROVER establishes persistence on the compromised system. It achieves this by modifying critical system settings, such as adding itself to the startup folder or creating new registry run keys (T1547). These modifications ensure that CBROVER continues to operate even after the system is rebooted. The malware may also set up scheduled tasks (T1053), allowing it to execute at predetermined times or intervals. By embedding itself deeply into the system, CBROVER evades simple detection and removal, creating an obstacle for system administrators attempting to mitigate the infection.

CBROVER seeks to escalate its privileges

Once persistent on the system, CBROVER seeks to escalate its privileges, often through exploitation for privilege escalation (T1203). By exploiting security flaws or misconfigurations in the operating system, CBROVER can gain higher-level access, which is critical for carrying out its objectives. The malware then engages in lateral movement, scanning the network for other vulnerable machines. Techniques like remote desktop protocol (RDP) (T1076) and remote file copy (T1105) are used to spread CBROVER to other machines on the network, allowing it to widen its reach and compromise more systems. CBROVER also gathers valuable intelligence from the compromised system using techniques such as system information discovery (T1082) and network share discovery (T1135). By harvesting system details and network shares, it identifies potential targets for data exfiltration or further attacks. Credential dumping (T1003) is another key function of the malware, allowing it to collect sensitive login credentials, which can be leveraged for additional lateral movement or even escalate attacks to higher-value targets within the network. One of the defining characteristics of CBROVER is its ability to avoid detection by traditional security measures. The malware employs obfuscation techniques (T1027), including encryption and packing of its payloads, to bypass signature-based detection systems. Additionally, CBROVER may manipulate system timestamps using timestomping (T1070.006) to make forensic analysis more challenging for investigators. Its low and slow approach enables it to remain dormant for long periods while continuing to gather data or execute tasks at specified intervals.

Data Exfiltration Mode

Once CBROVER has gathered enough intelligence, it engages in data exfiltration. The malware uses exfiltration over command and control channels (T1041), typically sending data back to its C2 server using encrypted communications. This allows attackers to siphon sensitive information, such as login credentials, intellectual property, or personal data, without drawing attention to the operation. In some cases, CBROVER is also configured to destroy data (T1485) or inhibit system recovery (T1490), either to disrupt operations or cover its tracks before system restoration is attempted. In conclusion, CBROVER operates as a highly adaptable and resilient threat, capable of infiltrating networks, evading detection, and exfiltrating critical information. Its modular design allows it to evolve and adjust to various system environments, making it a formidable threat to both individuals and organizations. Understanding its technical operations is crucial for developing effective countermeasures and mitigating the risks posed by such advanced malware strains. Detecting early indicators of compromise and applying layered defenses are key to reducing the impact of CBROVER attacks.

MITRE Tactics and Techniques

1. Initial Access
Spearphishing Attachment (T1566.001): CBROVER is often delivered through spear-phishing emails with malicious attachments, such as documents or URLs. These attachments serve as the initial access vector for the malware. Exploitation for Initial Access (T1203): CBROVER may exploit vulnerabilities in software or systems to gain initial access, such as through exploits in email clients or web applications.
2. Execution
User Execution (T1204): After the spear-phishing email attachment is opened by the victim, CBROVER executes through user interaction, such as launching a malicious document or file. Command and Scripting Interpreter (T1059): CBROVER may use scripts or command-line tools to execute commands on the infected system.
3. Persistence
Registry Run Keys / Startup Folder (T1547.001): CBROVER can establish persistence by modifying registry keys or adding itself to startup folders to ensure it runs automatically on system boot. Scheduled Task (T1053): CBROVER may use scheduled tasks or cron jobs to maintain persistence on the system, allowing it to continue executing even after a system reboot.
4. Privilege Escalation
Exploitation for Privilege Escalation (T1203): CBROVER can exploit vulnerabilities in the operating system or software to escalate its privileges, gaining higher-level access to the compromised system.
5. Defense Evasion
Obfuscated Files or Information (T1027): To avoid detection by antivirus software and other security tools, CBROVER may use obfuscation techniques, such as encoding or encrypting its payload to hide its presence. Timestomp (T1070.006): CBROVER might use timestomping techniques to alter file timestamps, making it harder for security teams to trace the malware’s actions and identify when it was first introduced.
6. Credential Access
Credential Dumping (T1003): CBROVER may attempt to dump credentials stored on the system, such as password hashes or account information, to facilitate lateral movement within the network.
7. Discovery
System Information Discovery (T1082): Once installed, CBROVER gathers information about the infected system, including operating system details, hardware configurations, and installed software. Network Share Discovery (T1135): CBROVER may scan the network to discover shared resources and identify potential targets for further exploitation or data exfiltration.
8. Lateral Movement
Remote Desktop Protocol (RDP) (T1076): CBROVER could leverage RDP to move laterally within the network, allowing the attacker to access other systems and expand the infection. Remote File Copy (T1105): CBROVER may copy itself to other machines in the network, establishing persistence on additional systems.
9. Collection
Data from Information Repositories (T1213): CBROVER can gather sensitive data stored in documents, databases, or other information repositories. Screen Capture (T1113): It can take screenshots of the infected system to capture valuable information or monitor user activity.
10. Exfiltration
Exfiltration Over Command and Control Channel (T1041): CBROVER exfiltrates data over the same communication channel it uses for command and control, often through FTP or other network protocols. Exfiltration Over Other Network Medium (T1048): In some cases, CBROVER may exfiltrate data via other network methods, including cloud storage or alternative network protocols.
11. Impact
Data Destruction (T1485): In some campaigns, CBROVER could be used in conjunction with other tools to destroy or corrupt data on compromised systems, impacting operations or preventing recovery. Inhibit System Recovery (T1490): CBROVER may disable or block recovery mechanisms to hinder the restoration of systems from backups, complicating the cleanup process.
References
    • Earth Preta Evolves its Attacks with New Malware and Strategies
Tags: APTBackdoorCBROVEREarth PretaMalwarePlugX
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Subscribe to our newsletter

    Latest Incidents

    Canada WestJet Airline Contains Cyberattack

    Hackers Leak 10K VirtualMacOSX Customer Data

    Washington Post Investigates Cyberattack on Emails

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial