BadFlick is a backdoor that is usually seen being distributed using exploited word documents. It does not have any persistence to survive reboot, but it is capable of opening a reverse shell connection to its C2 server where it can download and execute possibly other malware.
BadFlick makes use of c0b8d15cd0f3f3c5a40ba2e9780f0dd1db526233b40a449826b6a7c92d31f8d9
— a word document — to exploit a known vulnerability in Microsoft
Office’s component tool known as Microsoft Equation Editor or
CVE-2017-11882. This will trigger a remote code execution in
EQNEDT32.EXE where it will be replaced by its BadFlick backdoor 7ba05abdf8f0323aa30c3d52e22df951eb5b67a2620014336eab7907b0a5cedf using
process hollowing injection technique.
BadFlick’s backdoor configuration can be seen hardcoded in its body with the following format
<configState>|<C2 ip address>|<port>|<sleep>|. E.g.
- 1 = default configuration state of backdoor
- 103[.]243[.]175[.]181 = C2 server ip address
- 80 = port used
- 5 = time to wait (in minutes) between connections
On a successful connection to its C2 server, this backdoor will proceed to extract and send the following information about the infected machine:
- Computer Name
- IP Address
- Windows Version Number and Service Pack
- Number of CPU core and speed
- Size of RAM
It will also add the string
winMain static green at the end then uses CRC32 to compress the data before sending.