BackConfig has the ability to use HTTPS for C2 communiations.^[1]

BackConfig can download and run batch files to execute commands on a compromised host.^[1]

BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.^[1]

BackConfig has used a custom routine to decrypt strings.^[1]

BackConfig has the ability to identify folders and files related to previous infections.^[1]

BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.^[1]

BackConfig has the ability to remove files and folders related to previous infections.^[1]

BackConfig can download and execute additional payloads on a compromised host.^[1]

BackConfig has hidden malicious payloads in%USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.^[1]

BackConfig can leverage API functions such asShellExecuteA andHttpOpenRequestA in the process of downloading and executing files.^[1]

BackConfig has used compressed and decimal encoded VBS scripts.^[1]

BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.^[1]

BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.^[1]

BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.^[1]

BackConfig has the ability to gather the victim's computer name.^[1]

BackConfig has compromised victims via links to URLs hosting malicious content.^[1]

^[1]