Dark River. You can't see them, but they're there

Dark River used spearphishing DOCX files exploiting CVE-2021-40444 to drop a modular DLL backdoor (MataDoor) that persists via a signed loader Windows service and is protected with Themida. The backdoor features AES-CFB encrypted configuration, reflective plugin loading, multiple custom network transports (including a reliable UDP variant, HTTP-like framing over TCP/SSL, and multi‑hop proxies) enabling ECDHE/EdDSA/RC4/WolfSSL-secured C2 and flexible file collection/exfiltration. #MataDoor #DarkRiver

Keypoints

Initial access likely via spearphishing DOCX exploiting CVE-2021-40444 that fetches and executes a payload when editing is enabled.
MataDoor is a modular DLL backdoor launched via Regsvr32 or a dedicated loader Windows service that ensures persistence and uses AES‑CFB for configuration encryption.
The backdoor uses reflective loading for plugins, a custom serialization format, asynchronous operation management, and Themida packing/virtualization for anti-analysis.
Network subsystem implements layered transports (tcp/udp/pipe → ssl/http → auth/agent/client/control), including a custom reliable protocol over UDP and an HTTP-like session that uses XOR-encoded headers.
Auth/session protocols use ECDHE for key agreement, EdDSA signatures for client auth, RC4 for session encryption, optional LZ4 compression, and WolfSSL for TLS support.
Extensive plugin command set supports remote shell, process and filesystem enumeration/transfer (commands for chunked upload/download, archive, wipe), netscan, SMB share enumeration, and proxy/bridge functionality for multi-hop C2.
IOCs include numerous SHA256 file hashes for loaders, MataDoor binaries, phishing docs, and a large set of C2 domains registered via Namecheap; some binaries were signed with Sectigo certificates.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – Initial vector attributed to a phishing email with a DOCX containing an exploit for CVE-2021-40444 (‘The content of this document was relevant to the field of operations of the targeted enterprise. This document contained an exploit for the CVE-2021-40444 vulnerability.’).
[T1204.002] User Execution: Malicious File – The DOCX social‑engineered users to “enable editing” to trigger payload download and exploit execution (‘All the letters encouraged the user to enable editing in the document, which is a necessary condition for running the exploit.’).
[T1218.010/T1218.011] System Binary Proxy Execution: Regsvr32 / Rundll32 – Backdoor DLL exports DllRegisterServer and DllMain to allow execution via Regsvr32/Rundll32 (‘exports the DllRegisterServer function … run when called through the standard Windows Regsvr32 program’).
[T1543.003] Create or Modify System Process: Windows Service – Persistence is achieved by installing a loader service (Windows service) that launches the backdoor on startup (‘the backdoor is run using an additional component called loader service, which is a Windows service that runs automatically when the system starts’).
[T1027.002] Obfuscated Files or Information: Software Packing – Samples were protected with Themida and contained virtualized handlers to impede analysis (‘the identified executable files and libraries were processed by the Themida protector to make them more difficult to detect and analyze’).
[T1620] Reflective Code Loading – Backdoor reflectively loads PE modules for plugins into its process memory (‘The specified PE module is reflectively loaded into the address space of the backdoor process’).
[T1552.001] Unsecured Credentials: Credentials In Files – Auth uses embedded keys/certificates (EdDSA keys) for client authentication stored in configuration (‘The private key is defined in the transport configuration… public key for validation is a hard-coded array’).
[T1572] Protocol Tunneling – Builds hierarchical layered transports and tunnels application protocols over session and transport layers for C2 (‘MataDoor builds a hierarchical system of protocols, where a lower layer encapsulates a higher one, thus tunneling the traffic’).
[T1090.003] Proxy: Multi-hop Proxy – Bridge/Bridge plugin implements relay nodes and multi-hop proxying allowing chaining of connections (‘Bridge facilitates various types of proxy connections, serving as a relay node … can set up data exchange between the backdoor and an operator via relay nodes’).
[T1041] Exfiltration Over C2 Channel – File transfer commands support chunked upload/download and directory synchronization to exfiltrate data via the C2 channel (‘Command with ID = 301 … send to the C2 information about the file along with its contents starting from the offset’).
[T1572.001/T1572.002] Encrypted Channel: Symmetric/Asymmetric – Session encryption uses RC4 for bulk and WolfSSL (TLS) for session protection; ECDHE used for key agreement (‘The data is encrypted with an RC4 session key… contains a statically linked WolfSSL library’).

Indicators of Compromise

[File hash] Loader service binaries – sha256: 2019322c33b648c9d3f7c8a17a990860044c03ed7bd2fc9e82139c22e9bc5635, 207f386ebeb29e64e6b7fd10929217e1a664f06e6cc503e8798f57e0af2e5267 (and other loader hashes listed).
[File hash] MataDoor samples – sha256: 0085a02b9ba24afd266116df43acbd4f57fc8822af4929e7d17b59f2ceae9418, 3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705.
[File hash] Phishing DOCX samples – sha256: 0b06fb7f53bb7963ec2ff89d832b831763706e44d206a4d0a8c813ebee633e22, 2e068beb40f8901b698d4fc2f5766564c8324d5ba95fb0a0ffa841f5da5c7e72.
[Domain] C2/payload hosting domains – fetchbring.com, igloogawk.com (example C2/relay domains; and 70+ other domains such as cameoonion.com, kixthstage.com, etc.).
[File name patterns] Deployed file naming/masking – loader filename pattern loader_service_raw_win_intel_64_le_RELEASE.dll and backdoor pattern MATA_DLL_DLL_PACK_YYYYMMDD_011_win_intel_64_le_RELEASE.dll (used to masquerade as legitimate files).
[Vulnerability] Exploit reference – CVE-2021-40444 used in malicious DOCX to fetch/execute payloads.
[Certificate] Code signing issuer – Some samples signed with Sectigo certificates (used to evade trust checks).

The attackers delivered the initial exploit via tailored DOCX attachments exploiting CVE-2021-40444; when users enabled editing the document loaded an external payload (servers were inaccessible at capture time). The payload installed a signed loader service and a protected DLL backdoor (MataDoor) that runs via DllMain/DllRegisterServer or by the loader service, storing configuration encrypted with AES‑CFB (key derived from Microsoft rand() sequence) and offering persistence and process-launch capabilities.

MataDoor is modular: an orchestrator (kernel) manages custom serialized configuration structures and asynchronous operations, while functional and transport plugins (embedded or reflectively loaded PE modules) implement commands. Built-in plugins support remote shell, process enumeration/control, extensive filesystem operations (chunked upload/download, archive, zero-fill, copy/move/delete), netscan, SMB share enumeration, and bridge/proxy services for multi‑hop relay; scheduled/deferred commands and results are stored and transmitted in serialized containers, with LZ4 used for compression where configured.

The network subsystem implements layered, extensible transports: transport-layer tcp/udp/pipe, session-layer ssl/http (custom HTTP-like framing with XOR/encodeKey and Content-Length covering headers+body), and application-layer auth/client/agent/control. UDP supports both raw datagrams and a custom reliable, connection‑oriented protocol (headers: [len][stream id][seq][flags] with UDP_SYN/ACK/FIN/DEMAND_CHUNK and retransmit logic). Auth/session use ECDHE for key agreement, EdDSA signatures for client authentication, RC4 for session traffic encryption (with optional LZ4 compression), and WolfSSL for TLS; bridge and raw proxy commands let operators create relay chains and raw tcp/udp gateways. Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there

Dark River. You can’t see them, but they’re there