Hydraq
Associated Software Descriptions |
|
Name | Description |
---|---|
9002 RAT | (Citation: MicroFocus 9002 Aug 2016) |
Roarur | (Citation: Novetta-Axiom) |
MdmBot | (Citation: Novetta-Axiom) |
HomeUnix | (Citation: Novetta-Axiom) |
Homux | (Citation: Novetta-Axiom) |
HidraQ | (Citation: Novetta-Axiom) |
HydraQ | (Citation: Novetta-Axiom) |
McRat | (Citation: Novetta-Axiom) |
Aurora | (Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Hydraq creates new services to establish persistence.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)(Citation: Symantec Hydraq Persistence Jan 2010) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.(Citation: Symantec Hydraq Jan 2010) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Hydraq creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
.004 | Indicator Removal: File Deletion |
Hydraq creates a backdoor through which remote attackers can delete files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
||
Enterprise | T1569 | .002 | System Services: Service Execution |
Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.(Citation: Symantec Hydraq Persistence Jan 2010) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0066 | Elderwood |
(Citation: Symantec Elderwood Sept 2012) |
G0001 | Axiom |
(Citation: Cisco Group 72) (Citation: Novetta-Axiom) |
References
- ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.
- Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.
- Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.
- Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.
- Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.