S0398 HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.123
| Item | Value |
|---|---|
| ID | S0398 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 09 July 2019 |
| Last Modified | 29 November 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | HyperBro has used HTTPS for C2 communications.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | HyperBro can unpack and decrypt its payload prior to execution.54 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.14 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | HyperBro has the ability to delete a specified file.1 |
| enterprise | T1105 | Ingress Tool Transfer | HyperBro has the ability to download additional files.1 |
| enterprise | T1106 | Native API | HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.1 |
| enterprise | T1027 | Obfuscated Files or Information | HyperBro can be delivered encrypted to a compromised host.5 |
| enterprise | T1027.002 | Software Packing | HyperBro has the ability to pack its payload.4 |
| enterprise | T1055 | Process Injection | HyperBro can run shellcode it injects into a newly created process.1 |
| enterprise | T1113 | Screen Capture | HyperBro has the ability to take screenshots.1 |
| enterprise | T1007 | System Service Discovery | HyperBro can list all services and their configurations.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | HyperBro has the ability to start and stop a specified service.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 | 12354 |
References
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. ↩↩
-
Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. ↩↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩↩↩↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩↩↩