Skip to content

S0398 HyperBro

HyperBro is a custom in-memory backdoor used by Threat Group-3390.123

Item Value
ID S0398
Associated Names
Version 1.2
Created 09 July 2019
Last Modified 29 November 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HyperBro has used HTTPS for C2 communications.1
enterprise T1140 Deobfuscate/Decode Files or Information HyperBro can unpack and decrypt its payload prior to execution.54
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.14
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion HyperBro has the ability to delete a specified file.1
enterprise T1105 Ingress Tool Transfer HyperBro has the ability to download additional files.1
enterprise T1106 Native API HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.1
enterprise T1027 Obfuscated Files or Information HyperBro can be delivered encrypted to a compromised host.5
enterprise T1027.002 Software Packing HyperBro has the ability to pack its payload.4
enterprise T1055 Process Injection HyperBro can run shellcode it injects into a newly created process.1
enterprise T1113 Screen Capture HyperBro has the ability to take screenshots.1
enterprise T1007 System Service Discovery HyperBro can list all services and their configurations.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution HyperBro has the ability to start and stop a specified service.1

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 12354