HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]
ID: S0398
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.3
Created: 09 July 2019
Last Modified: 11 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1][4] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
HyperBro can unpack and decrypt its payload prior to execution.[5][4] |
|
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1106 | 本机API |
HyperBro has the ability to run an application ( |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
HyperBro can be delivered encrypted to a compromised host.[5] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
HyperBro has the ability to start and stop a specified service.[1] |
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1055 | 进程注入 |
HyperBro can run shellcode it injects into a newly created process.[1] |
|
Groups That Use This Software
References
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
- Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.