Skip to content

S0070 HTTPBrowser

HTTPBrowser is malware that has been used by several threat groups. 1 2 It is believed to be of Chinese origin. 3

Item Value
ID S0070
Associated Names HttpDump
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
HttpDump 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HTTPBrowser has used HTTP and HTTPS for command and control.21
enterprise T1071.004 DNS HTTPBrowser has used DNS for command and control.21
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.41
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HTTPBrowser is capable of spawning a reverse shell on a victim.2
enterprise T1083 File and Directory Discovery HTTPBrowser is capable of listing files, folders, and drives on a victim.24
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.4
enterprise T1574.002 DLL Side-Loading HTTPBrowser has used DLL side-loading.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion HTTPBrowser deletes its original installer file once installation is complete.4
enterprise T1105 Ingress Tool Transfer HTTPBrowser is capable of writing a file to the compromised system from the C2 server.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging HTTPBrowser is capable of capturing keystrokes on victims.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location HTTPBrowser‘s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.4
enterprise T1027 Obfuscated Files or Information HTTPBrowser‘s code may be obfuscated through structured exception handling and return-oriented programming.2

Groups That Use This Software

ID Name References
G0026 APT18 5
G0027 Threat Group-3390 2678

References

Back to top