1. Home
  2. Software
  3. HTTPBrowser

HTTPBrowser

HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]

ID: S0070
Associated Software: Token Control, HttpDump
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 20 March 2020

Associated Software Descriptions

Name Description
HttpDump

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[4]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[4]
.002 劫持执行流: DLL Side-Loading

HTTPBrowser has used DLL side-loading.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn "%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe" to establish persistence.[4][1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

HTTPBrowser is capable of spawning a reverse shell on a victim.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

HTTPBrowser has used HTTP and HTTPS for command and control.[2][1]
.004 应用层协议: DNS

HTTPBrowser has used DNS for command and control.[2][1]
Enterprise T1083 文件和目录发现

HTTPBrowser is capable of listing files, folders, and drives on a victim.[2][4]
Enterprise T1027 混淆文件或信息

HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[2]
Enterprise T1070 .004 移除指标: File Deletion

HTTPBrowser deletes its original installer file once installation is complete.[4]
Enterprise T1105 输入工具传输

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[2]
Enterprise T1056 .001 输入捕获: Keylogging

HTTPBrowser is capable of capturing keystrokes on victims.[2]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[2][5][6][7]
G0026 APT18

[8]

References

  1. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  3. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  4. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  1. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  2. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  3. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  4. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.