Threat Research

Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention

Unit42

FalseFont is an ASP.NET Core backdoor deployed by the suspected Iranian-affiliated group tracked as Curious Serpens that impersonates aerospace HR software to trick job applicants into executing it. The backdoor establishes persistence via multiple AppData copies and Run registry entries, communicates with C2 using AES-encrypted Base64 payloads over HTTP and SignalR, and supports command execution, file transfer, screen capture, and browser credential theft. #FalseFont #CuriousSerpens

Keypoints

  • FalseFont is a targeted backdoor written in ASP.NET Core that impersonates an aerospace company’s HR GUI to socially engineer victims into running it.
  • The malware runs a GUI for credential/resume collection while a hidden backdoor component establishes persistence and registers with a C2 server (Digitalcodecrafters[.]com / 64.52.80[.]30).
  • Communication to C2 uses two channels: periodic GET requests to /api/Core/Command/Init (0–5 minute polling) and a SignalR client for real-time commands; traffic is AES encrypted and Base64 encoded with a hard-coded key/IV.
  • FalseFont drops three persistent copies in AppData, creates Run registry entries, and uses a mutex (864H!NKLNB*x_H?5) to control instances.
  • The backdoor supports remote command execution (cmd/powershell), file download/upload (Base64+AES chunks), directory enumeration, process listing/termination, updating/restarting, screen capture, and browser credential theft.
  • Strings and configuration are obfuscated (Base64 + hard-coded AES key) and several hard-coded artifacts (C2 username, AES key/IV, C2 URIs) are present in the binary.
  • Cortex XDR detections were observed preventing FalseFont execution, and Palo Alto Networks published IOCs including SHA256 hashes, mutex, persistence paths, C2 domain/IP, and C2 endpoints.

MITRE Techniques

  • [T1204] User Execution – The actor lures targets with a fake job application GUI that impersonates an aerospace HR interface (‘mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor.’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – FalseFont establishes persistence by adding Run key values for three dropped copies (‘establish persistence via the registry CurrentVersionRun key for all three copies by creating a new value’).
  • [T1555.003] Credentials from Web Browsers – The malware steals stored browser passwords from Chrome/Brave/Edge when commanded (‘steals passwords from the Chrome, Brave and Edge User Data folders using code borrowed from a GitHub project’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications use HTTP(S)/SignalR (web protocols) for polling and real-time commands (‘FalseFont also uses ASP.NET Core SignalR … for communication with its command and control server’).
  • [T1041] Exfiltration Over C2 Channel – Files and directory listings are exfiltrated in Base64-encoded, AES-encrypted chunks to the C2 (‘Data is exfiltrated in Base64 encoded and encrypted chunks of a size specified by the C2’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – FalseFont can execute powershell.exe with provided arguments when instructed (‘Executes powershell.exe using the provided arguments’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The backdoor executes cmd.exe for shell commands and returns output (‘Otherwise, it executes cmd.exe with provided command-line arguments and returns console output’).
  • [T1113] Screen Capture – The SignalR handlers support creating threaded screen captures saved as JPEGs and sent to the C2 (‘Creates a new thread that captures screenshots … converted to Base64 and sent to the /api/LiveDirectory/Send/Screen endpoint’).
  • [T1083] File and Directory Discovery – The backdoor recursively enumerates files and directories and can return listings to the C2 (‘Generates a recursive list of files and directories in a specified path’).
  • [T1027] Obfuscated Files or Information – Strings and configuration are Base64 encoded and AES encrypted inside the binary to hinder analysis (‘The malware’s strings are encoded in Base64, and encrypted using a hard-coded AES key’).

Indicators of Compromise

  • [File Hash] packed/unpacked executable – 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614, 4145e792c9e9f3c4e80ca0e290bd7568ebcef678affd68d9b505f02c6acaab12
  • [Mutex] persistence control – 864H!NKLNB*x_H?5
  • [Persistence paths] dropped binaries – %username%AppDataRoaminghost.exe, %username%AppDataLocalbroker.exe (and %username%AppDataLocalMicrosoftSystem.exe)
  • [Domain] C2 hosting – Digitalcodecrafters[.]com
  • [IP] C2 server – 64.52.80[.]30
  • [Credentials/Keys] hard-coded config artifacts – C2 password NooVtlXgx2T3IyN4I0Xf; Base64 AES key 3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA= (and IV viOIZ9cX59qDDjMHYsz1Yw==)
  • [Files] local data files used by GUI – data.txt (saved credentials), data2.txt (saved resume information)

FalseFont is deployed as a large native-wrapped ASP.NET Core executable that presents a faux HR GUI while launching a headless .NET backdoor component. On first run or when users submit credentials, the GUI posts JSON login/resume data to the actor’s C2 (examples observed to 64.52.80[.]30 on TCP/8080) and can persist saved credentials in %localappdata%data.txt for automatic reuse. The backdoor immediately performs an initialization handshake (sending hostname, login user, OS) and contains hard-coded artifacts including C2 username/password, a Base64-encoded AES key/IV, and C2 URIs.

The backdoor establishes persistence by dropping three executable copies to AppData (%username%AppDataRoaminghost.exe, %username%AppDataLocalbroker.exe, %username%AppDataLocalMicrosoftSystem.exe), adding Run registry entries, and using a mutex (864H!NKLNB*x_H?5) so only one instance runs. Communication occurs in two modes: periodic GET polling to /api/Core/Command/Init (every 0–5 minutes) and a SignalR client for real-time commands; all payloads are AES encrypted then Base64 encoded. Supported capabilities include remote execution (Exec/ExecUseShell, cmd.exe, powershell.exe), file download/upload (chunked, Base64+AES), directory enumeration and full-drive listing, process listing/termination, screen capture (JPEGs converted to Base64), self-update/restart, and credential theft from browser user data and Loginvault.db when the C2 issues a CMD with parameter ‘pass’.

String obfuscation and embedded encrypted configuration are present (strings Base64 + AES), and the binary exposes numerous API endpoints and SignalR handlers used for live directory, disk, and screen data exfiltration. Defenders should hunt for the supplied SHA256 hashes, mutex, the three AppData persistence paths and Run key modifications, C2 domain/IP, and the hard-coded AES key/IV or C2 credentials as high-confidence indicators of FalseFont activity.

Read more: https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint