HTTPBrowser
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| HttpDump | (Citation: ThreatConnect Anthem) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
HTTPBrowser has used HTTP and HTTPS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis) |
| .004 | Application Layer Protocol: DNS |
HTTPBrowser has used DNS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
HTTPBrowser has established persistence by setting the |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
HTTPBrowser is capable of spawning a reverse shell on a victim.(Citation: Dell TG-3390) |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.(Citation: ZScaler Hacking Team) |
| .002 | Hijack Execution Flow: DLL Side-Loading |
HTTPBrowser has used DLL side-loading.(Citation: Dell TG-3390) |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
HTTPBrowser deletes its original installer file once installation is complete.(Citation: ZScaler Hacking Team) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
HTTPBrowser is capable of capturing keystrokes on victims.(Citation: Dell TG-3390) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.(Citation: ZScaler Hacking Team) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 |
(Citation: Dell TG-3390) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Trend Micro Iron Tiger April 2021) |
| G0026 | APT18 |
(Citation: RSA2017 Detect and Respond Adair) |
References
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.