S0070 HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. 1 2 It is believed to be of Chinese origin. 3
| Item | Value |
|---|---|
| ID | S0070 |
| Associated Names | HttpDump |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 20 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| HttpDump | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | HTTPBrowser has used HTTP and HTTPS for command and control.21 |
| enterprise | T1071.004 | DNS | HTTPBrowser has used DNS for command and control.21 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.41 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | HTTPBrowser is capable of spawning a reverse shell on a victim.2 |
| enterprise | T1083 | File and Directory Discovery | HTTPBrowser is capable of listing files, folders, and drives on a victim.24 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.4 |
| enterprise | T1574.002 | DLL Side-Loading | HTTPBrowser has used DLL side-loading.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | HTTPBrowser deletes its original installer file once installation is complete.4 |
| enterprise | T1105 | Ingress Tool Transfer | HTTPBrowser is capable of writing a file to the compromised system from the C2 server.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | HTTPBrowser is capable of capturing keystrokes on victims.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | HTTPBrowser‘s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.4 |
| enterprise | T1027 | Obfuscated Files or Information | HTTPBrowser‘s code may be obfuscated through structured exception handling and return-oriented programming.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 | 2567 |
| G0026 | APT18 | 8 |
References
-
Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. ↩↩↩↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩↩↩↩↩↩↩↩↩
-
ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. ↩↩
-
Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. ↩↩↩↩↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. ↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩
-
Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017. ↩