S0203 Hydraq
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.87915342
| Item | Value |
|---|---|
| ID | S0203 |
| Associated Names | Roarur, MdmBot, HomeUnix, Homux, HidraQ, HydraQ, McRat, Aurora, 9002 RAT |
| Type | MALWARE |
| Version | 2.0 |
| Created | 18 April 2018 |
| Last Modified | 20 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Roarur | 6 |
| MdmBot | 6 |
| HomeUnix | 6 |
| Homux | 6 |
| HidraQ | 6 |
| HydraQ | 6 |
| McRat | 6 |
| Aurora | 79 |
| 9002 RAT | 8 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | Hydraq creates a backdoor through which remote attackers can adjust token privileges.10 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Hydraq creates new services to establish persistence.91011 |
| enterprise | T1005 | Data from Local System | Hydraq creates a backdoor through which remote attackers can read data from files.910 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.10 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | Hydraq connects to a predefined domain on port 443 to exfil gathered information.10 |
| enterprise | T1083 | File and Directory Discovery | Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.910 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Hydraq creates a backdoor through which remote attackers can clear all system event logs.910 |
| enterprise | T1070.004 | File Deletion | Hydraq creates a backdoor through which remote attackers can delete files.910 |
| enterprise | T1105 | Ingress Tool Transfer | Hydraq creates a backdoor through which remote attackers can download files and additional malware components.910 |
| enterprise | T1112 | Modify Registry | Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq‘s backdoor also enables remote attackers to modify and delete subkeys.910 |
| enterprise | T1027 | Obfuscated Files or Information | Hydraq uses basic obfuscation in the form of spaghetti code.79 |
| enterprise | T1057 | Process Discovery | Hydraq creates a backdoor through which remote attackers can monitor processes.910 |
| enterprise | T1012 | Query Registry | Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.910 |
| enterprise | T1113 | Screen Capture | Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.10 |
| enterprise | T1129 | Shared Modules | Hydraq creates a backdoor through which remote attackers can load and call DLL functions.910 |
| enterprise | T1082 | System Information Discovery | Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.10 |
| enterprise | T1016 | System Network Configuration Discovery | Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.910 |
| enterprise | T1007 | System Service Discovery | Hydraq creates a backdoor through which remote attackers can monitor services.910 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.11 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0066 | Elderwood | 7 |
| G0001 | Axiom | 612 |
References
-
ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018. ↩
-
Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018. ↩
-
Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018. ↩
-
Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018. ↩
-
Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018. ↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩↩↩↩↩↩↩↩
-
O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. ↩↩↩↩
-
Petrovsky, O. (2016, August 30). “9002 RAT” – a second building on the left. Retrieved February 20, 2018. ↩↩
-
Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018. ↩↩
-
Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. ↩