Skip to content

S0203 Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.87915342

Item Value
ID S0203
Associated Names Roarur, MdmBot, HomeUnix, Homux, HidraQ, HydraQ, McRat, Aurora, 9002 RAT
Type MALWARE
Version 2.0
Created 18 April 2018
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Roarur 6
MdmBot 6
HomeUnix 6
Homux 6
HidraQ 6
HydraQ 6
McRat 6
Aurora 79
9002 RAT 8

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Hydraq creates a backdoor through which remote attackers can adjust token privileges.10
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Hydraq creates new services to establish persistence.91011
enterprise T1005 Data from Local System Hydraq creates a backdoor through which remote attackers can read data from files.910
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.10
enterprise T1048 Exfiltration Over Alternative Protocol Hydraq connects to a predefined domain on port 443 to exfil gathered information.10
enterprise T1083 File and Directory Discovery Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.910
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs Hydraq creates a backdoor through which remote attackers can clear all system event logs.910
enterprise T1070.004 File Deletion Hydraq creates a backdoor through which remote attackers can delete files.910
enterprise T1105 Ingress Tool Transfer Hydraq creates a backdoor through which remote attackers can download files and additional malware components.910
enterprise T1112 Modify Registry Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq‘s backdoor also enables remote attackers to modify and delete subkeys.910
enterprise T1027 Obfuscated Files or Information Hydraq uses basic obfuscation in the form of spaghetti code.79
enterprise T1057 Process Discovery Hydraq creates a backdoor through which remote attackers can monitor processes.910
enterprise T1012 Query Registry Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.910
enterprise T1113 Screen Capture Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.10
enterprise T1129 Shared Modules Hydraq creates a backdoor through which remote attackers can load and call DLL functions.910
enterprise T1082 System Information Discovery Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.10
enterprise T1016 System Network Configuration Discovery Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.910
enterprise T1007 System Service Discovery Hydraq creates a backdoor through which remote attackers can monitor services.910
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.11

Groups That Use This Software

ID Name References
G0001 Axiom 612
G0066 Elderwood 7

References


  1. ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018. 

  2. Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018. 

  3. Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018. 

  4. Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018. 

  5. Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018. 

  6. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  7. O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. 

  8. Petrovsky, O. (2016, August 30). “9002 RAT” – a second building on the left. Retrieved February 20, 2018. 

  9. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  10. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  11. Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018. 

  12. Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. 

Back to top