Malware
ReedBed
ReedBed, identified as a malware proxy backdoor, is suspected to be developed by QAKBOT devs, and was deployed by the threat actor Storm-1811 in campaigns observed during late October and early Novemb
ReedBed, identified as a malware proxy backdoor, is suspected to be developed by QAKBOT devs, and was deployed by the threat actor Storm-1811 in campaigns observed during late October and early November 2024. These campaigns are typically initiated with email bombing, a tactic involving mass email distribution, followed by social engineering strategies where the actor impersonates help desk personnel to gain access to victim systems.
Upon execution, ReedBed ensures single-instance operation via the mutex "JhishdiI2Uhsvoc94keiojn7ns19m0do" and hooks critical system APIs (NtCreateUserProcess, RtlExitUserProcess) for defense evasion, process interference, and anti-termination. It reads its Command and Control (C2) configuration, typically from the "Software\TitanPlus" registry key, establishes a persistent SSL/TLS encrypted connection, and transmits an initial system information beacon. Subsequently, ReedBed enters its main operational loop, acting as a versatile network proxy based on C2 commands; this includes initiating outgoing TCP connections, relaying data bi-directionally, and establishing reverse SOCKS5 (with authentication) or direct TCP port mapping services via locally opened listening ports. If commanded or upon connection failure, it transitions into a restart/wait cycle guided by registry values, leveraging its hooked exit function to hinder termination before attempting to reconnect to the C2.
Family metadata imported from Malpedia (Fraunhofer FKIE).