The Unit 42 security team has observed the activities of the BackConfig malware used by Hangover (aka Neon, Viceroy Tiger, MONSOON) in the past 4 months. The organization uses spear-phishing attacks, and targets include government and military organizations in South Asian.
The BackConfig custom Trojan has a flexible plug-in architecture for providing components with various features, including the ability to collect system and keylogger information and upload and execute additional payloads.
Initially, the infection occurred through a weaponized Microsoft Excel (XLS) document, which was published through an infected legal website, and the URL was probably shared via email. These documents use Visual Basic for Applications (VBA) macro code. If the victim enables these macro codes, an installation process consisting of multiple components will be initiated, which will cause the plugin loader payload to be downloaded and executed. The modular nature, of course, allows for faster changes to individual components, and it may be more important for attackers to be able to prevent sandboxes and dynamic analysis systems from splitting malicious behavior, especially when analyzing components individually.