FalseFont is a .NET-based backdoor used by the Peach Sandstorm actor that masquerades as a Maxar Technologies application and implements persistence via AppData copies and Windows Run registry entries. It communicates with C2 using SignalR over web protocols with AES-CBC encryption, supports browser credential theft, screen capture, remote shells and file exfiltration. #FalseFont #PeachSandstorm #MaxarTechnologies
Keypoints
- FalseFont is a .NET single-file self-contained application that embeds a managed payload (Maxar.dll) and a WPF UI to impersonate Maxar Technologies.
- The fake UI sends entered credentials to a hardcoded credential server (hxxp://64[.]52[.]80[.]30:8080) while the backdoor initializes persistence and connects to a separate C2 for remote access.
- C2 uses Microsoft SignalR for command-and-control, with all traffic encrypted using AES-CBC and hardcoded key and IV present in the binary.
- The command handler supports reverse shells, cmd/PowerShell execution, file download/upload (exfiltration), directory enumeration, process management, screen capture, and a browser credential stealer targeting Chromium-based browsers.
- Persistence is implemented by replicating files to %appdata%/%localappdata% locations (host.exe, broker.exe, MicrosoftSystem.exe/Maxar.exe) and adding Run registry entries under SOFTWAREMicrosoftWindowsCurrentVersionRun.
- Strings and configuration values are AES-CBC encrypted in the binary; researchers decrypted them statically using a dnlib-based Python script to reveal C2 domain, mutex, filenames, and arguments.
- Public IOCs include multiple hashes, a mutex, filenames/paths, command-line argument for update/restart, an IP-based credential server and a C2 domain (digitalcodecrafters[.]com).
MITRE Techniques
- [T1036] Masquerading â Malware presents a realistic Maxar Technologies UI to appear legitimate. [âposes as a legitimate application from US Defense and Intelligence Contractor Maxar Technologiesâ]
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder â The agent creates Run key entries to achieve persistence. [âit replicates itself in all the designated locations and creates new entries in the registryâ]
- [T1105] Ingress Tool Transfer â The sample copies itself to %appdata% and %localappdata% locations (host.exe, broker.exe, MicrosoftSystem.exe/Maxar.exe). [â%appdata%host.exe %localappdata%broker.exe %localappdata%MicrosoftSystem.exeâ]
- [T1071.001] Application Layer Protocol: Web Protocols â Uses SignalR (real-time web API) over web protocols for C2 communication. [âSignalR is Microsoftâs real-time web API protocol⌠the malware uses the SignalR protocol for its Command and Control (C2) communicationâ]
- [T1573] Encrypted Channel â All C2 communication is encrypted using AES CBC with a hardcoded key and IV. [âAll C2 communication is encrypted using AES CBC with a hardcoded key and IVâ]
- [T1059.001] Command and Scripting Interpreter: PowerShell â Supports executing attacker-supplied PowerShell commands. [âRun attacker supplied Powershell query.â]
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell â Executes commands via cmd.exe and has command variants that launch shell commands. [âRun attacker supplied command trough cmd.exeâ]
- [T1057] Process Discovery â The agent can return a list of running processes (name and PID). [âSend list of all running processes including process name and IDâ]
- [T1083] File and Directory Discovery â Supports directory listing and sending directory structures to C2. [âSend all Disks and their directory structureâ]
- [T1113] Screen Capture â Implements a remote screen viewer that captures, JPEG-encodes and uploads screenshots on a configured interval. [âuploads screenshots of the victimâs screen using attacker specified interval, duration, resolution and qualityâ]
- [T1555.003] Credentials from Web Browsers â Implements a browser credential stealer targeting Chromium-based browsers (Chrome, Edge, Brave). [âbrowser credential stealingâ and target paths like âGoogleChromeUser Dataâ âBraveSoftwareBrave BrowserUser Dataâ âMicrosoftEdgeUser Dataâ]
- [T1041] Exfiltration Over C2 Channel â File upload functionality allows exfiltrating single files, multiple files or entire directories to C2. [âExfiltrate data from victim system, can upload one or multiple files or entire directoriesâ]
Indicators of Compromise
- [SHA-256] sample binary â 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614 (primary FalseFont sample)
- [Other hashes] additional file hashes â SHA-1: ddd18e208aff7b00a46e06f8d9485f81ff4221ea, MD5: 6fd5d31d607a212c6f7651c79e7655a3
- [Mutex] runtime synchronization indicator â 864H!NKLNB*x_H?5
- [Filenames/Paths] persistence and execution locations â Maxar.exe; %localappdata%MicrosoftSystem.exe, %localappdata%broker.exe, %appdata%host.exe
- [URL / IP] credential harvesting endpoint â hxxp://64[.]52[.]80[.]30:8080
- [Domain] C2 domain â hxxp://digitalcodecrafters[.]com
- [Commandline] update/restart argument â SQPâs*(58vaP!tF4 (used for Update and Restart)
The technical procedure begins with a single-file .NET host bundling a managed payload (identified as Maxar.dll). Analysts extract the managed assembly from the native bootstrap using ILSpy/dnSpy to inspect WPF UI code and the SignalR-based C2 client. The fake Maxar UI validates and posts credentials to a hardcoded credential endpoint (hxxp://64[.]52[.]80[.]30:8080) while the embedded backdoor initializes persistence and connects to the separate SignalR C2 channel.
Command-and-control is implemented with Microsoft SignalR and all messages are encrypted with AES-CBC using a hardcoded key and IV; encryption and decryption routines are implemented in Core.Agent.Services.Implementationes. The SignalR client registers handlers that implement a modular command framework: command execution (Process.Start, cmd.exe, PowerShell), reverse shell functionality, file download/unpack, file upload (exfiltration), directory and drive enumeration, process listing/termination, screen capture (threaded JPEG -> Base64 uploads), and a browser credential stealer targeting Chromium user data paths.
Persistence is created during GUI initialization via Core.Agent.Utilities.Prerequisite.CopyMyApp: the agent replicates itself to %appdata%/%localappdata% filenames (host.exe, broker.exe, MicrosoftSystem.exe / Maxar.exe) and writes values under SOFTWAREMicrosoftWindowsCurrentVersionRun. Configuration strings and parameters are AES-CBC encrypted; researchers statically extracted and decrypted those strings using a dnlib-based Python script, revealing C2 domains, mutex, filenames and update/restart command-line arguments. Detection and mitigation can leverage the embedded AES constants, known paths/filenames, the provided hashes, and behavior such as SignalR-based C2 over web protocols and registry Run-key persistence.