Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)
ID: S0203
Associated Software: 9002 RAT Roarur MdmBot HomeUnix Homux HidraQ HydraQ McRat Aurora
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 18 Apr 2018
Last Modified: 20 Mar 2023

Associated Software Descriptions

Name Description
9002 RAT (Citation: MicroFocus 9002 Aug 2016)
Roarur (Citation: Novetta-Axiom)
MdmBot (Citation: Novetta-Axiom)
HomeUnix (Citation: Novetta-Axiom)
Homux (Citation: Novetta-Axiom)
HidraQ (Citation: Novetta-Axiom)
HydraQ (Citation: Novetta-Axiom)
McRat (Citation: Novetta-Axiom)
Aurora (Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Hydraq creates new services to establish persistence.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)(Citation: Symantec Hydraq Persistence Jan 2010)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.(Citation: Symantec Hydraq Jan 2010)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Hydraq creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

.004 Indicator Removal: File Deletion

Hydraq creates a backdoor through which remote attackers can delete files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

Enterprise T1569 .002 System Services: Service Execution

Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.(Citation: Symantec Hydraq Persistence Jan 2010)

Groups That Use This Software

ID Name References
G0066 Elderwood

(Citation: Symantec Elderwood Sept 2012)

G0001 Axiom

(Citation: Cisco Group 72) (Citation: Novetta-Axiom)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.