MAR-10365227-2.v1

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with HyperBro, a Remote Access Trojan (RAT). CISA obtained HyperBro malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.



CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.



For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the STIX version of this report: MAR-10365227-2.v1 249B

Submitted Files (4)

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 (vftrace.dll)

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (msmpeng.exe)

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230 (config.ini)

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780 (thumb.dat)

IPs (1)

104.168.236.46

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348

Tags

loader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll.



The program is also capable of bypassing User Account Controls (UAC) on the system by disabling Admin Approval Mode in User Account Controls Group Policy in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System. This can allow the malware to run with Admin privileges, or allow remote logon (RDP) with full Admin privileges.

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This DLL is side-loaded by df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 detailed in this report.



When the DLL is executed it will create a Globally Unique Identifier (GUID) to identify the system to the command and control (C2) during communication. The GUID is written to a file called 'Config.ini' and placed in the current directory.



The program will decrypt and read a configuration file called 'thumb.dat' that instructs it to spawn a new instance of the Service Host Process (svchost.exe) and inject itself into the new instance. Svchost.exe is run with the -k netsvcs parameter to allow the malware to connect to its C2. The malware collects the following information to send to the C2 via POST when establishing a connection.



---Begin Collected Information---

Computer Name

IP Address

Path to the malware location

Process name that it is running in (svchost.exe)

Mode

Name of the malware

GUID

---End Collected Information---



During analysis, the malware attempted to connect to the Uniform Resource Identifier (URI), hxxps[:]//104.168.236.46/api/v2/ajax using the fixed User-Agent string Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36.



To achieve persistence on the system, the program creates a service in the registry called ‘Windows Defenders Service’ that starts automatically when the user logs on.



---Begin Registry Settings---

HKLM\System\CurrentControlSet\services\windefenders\Type. Data: 272

HKLM\System\CurrentControlSet\services\windefenders\Start. Data: 2

HKLM\System\CurrentControlSet\services\windefenders\ErrorControl. Data: 1

HKLM\System\CurrentControlSet\services\windefenders\ImagePath    Data: “C:\Program Files (x86)\Common Files\windefenders\msmpenge.exe"

HKLM\System\CurrentControlSet\services\windefenders\DisplayName    Data: Windows Defenders

HKLM\System\CurrentControlSet\services\windefenders\WOW64. Data: 1

HKLM\System\CurrentControlSet\services\windefenders\ObjectName. Data: LocalSystem

HKLM\System\CurrentControlSet\services\windefende37337060\DeleteFlag. Data: 1

HKLM\System\CurrentControlSet\services\windefende37337060\Start. Data: 4

HKLM\System\CurrentControlSet\services\windefenders\Description    Data: Windows Defenders Service

---End Registry Settings---



It may also create an autorun entry in the registry at HKLM\Software\Microsoft\Windows\Current Version\Run.



The malware creates a hidden folder called ‘windefenders’ in the path C:\Program Files (x86)\Common Files\ where it will copy the PE file ‘msmpeng.exe’ along with the GUID file, ‘config.ini’, the malicious library ‘vftrace.dll’, and the encrypted configuration file ‘thumb.dat’. A second hidden folder called ‘windefenders’ is also created in the path C:\ProgramData\. This folder holds another instance of the PE file.



The program is capable of logging keystrokes, uploading and downloading files, and will also invoke RpcServerListen to wait for incoming Remote Procedure Call (RPC) connections. It will also open a pipe called ‘\Device\NamedPipe\testpipe’ that it uses to pass commands from its daemon to any worker processes it may set up.

104.168.236.46

Tags

command-and-control

URLs

• hxxps[:]//104.168.236.46/api/v2/ajax

Ports

• 443 TCP

Whois

Domain Name: HOSTWINDSDNS.COM

Registry Domain ID: 1655837964_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.namecheap.com

Registrar URL: http://www.namecheap.com

Updated Date: 2021-06-25T06:27:14Z

Creation Date: 2011-05-12T23:01:53Z

Registry Expiry Date: 2029-05-12T23:01:53Z

Registrar: NameCheap, Inc.

Registrar IANA ID: 1068

Registrar Abuse Contact Email: abuse@namecheap.com

Registrar Abuse Contact Phone: +1.6613102107

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Name Server: DNS1.HOSTWINDSDNS.COM

Name Server: DNS2.HOSTWINDSDNS.COM

Name Server: DNS3.HOSTWINDSDNS.COM

Name Server: DNS4.HOSTWINDSDNS.COM

DNSSEC: unsigned



Domain name: hostwindsdns.com

Registry Domain ID: 1655837964_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.namecheap.com

Registrar URL: http://www.namecheap.com

Updated Date: 2020-04-27T12:40:10.00Z

Creation Date: 2011-05-12T23:01:53.00Z

Registrar Registration Expiration Date: 2029-05-12T23:01:53.00Z

Registrar: NAMECHEAP INC

Registrar IANA ID: 1068

Registrar Abuse Contact Email: abuse@namecheap.com

Registrar Abuse Contact Phone: +1.9854014545

Reseller: NAMECHEAP INC

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID: Redacted for Privacy Purposes

Registrant Name: Redacted for Privacy Purposes

Registrant Organization: Redacted for Privacy Purposes

Registrant Street: Redacted for Privacy Purposes

Registrant City: Redacted for Privacy Purposes

Registrant State/Province: WA

Registrant Postal Code: Redacted for Privacy Purposes

Registrant Country: US

Registrant Phone: Redacted for Privacy Purposes

Registrant Phone Ext: Redacted for Privacy Purposes

Registrant Fax: Redacted for Privacy Purposes

Registrant Fax Ext: Redacted for Privacy Purposes

Registrant Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com

Registry Admin ID: Redacted for Privacy Purposes

Admin Name: Redacted for Privacy Purposes

Admin Organization: Redacted for Privacy Purposes

Admin Street: Redacted for Privacy Purposes

Admin City: Redacted for Privacy Purposes

Admin State/Province: Redacted for Privacy Purposes

Admin Postal Code: Redacted for Privacy Purposes

Admin Country: Redacted for Privacy Purposes

Admin Phone: Redacted for Privacy Purposes

Admin Phone Ext: Redacted for Privacy Purposes

Admin Fax: Redacted for Privacy Purposes

Admin Fax Ext: Redacted for Privacy Purposes

Admin Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com

Registry Tech ID: Redacted for Privacy Purposes

Tech Name: Redacted for Privacy Purposes

Tech Organization: Redacted for Privacy Purposes

Tech Street: Redacted for Privacy Purposes

Tech City: Redacted for Privacy Purposes

Tech State/Province: Redacted for Privacy Purposes

Tech Postal Code: Redacted for Privacy Purposes

Tech Country: Redacted for Privacy Purposes

Tech Phone: Redacted for Privacy Purposes

Tech Phone Ext: Redacted for Privacy Purposes

Tech Fax: Redacted for Privacy Purposes

Tech Fax Ext: Redacted for Privacy Purposes

Tech Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com

Name Server: dns1.hostwindsdns.com

Name Server: dns2.hostwindsdns.com

Name Server: dns3.hostwindsdns.com

Name Server: dns4.hostwindsdns.com

DNSSEC: unsigned

Relationships

Description

During analysis, the file vftrace.dll attempted to connect to this domain.

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains a GUID that is generated by the malware to uniquely identify the system during communication with the C2.

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780

Tags

backdoorkeylogger

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration data that is read by 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 detailed in this report. The decrypted strings in the configuration are listed below:



---Begin Decrypted Strings---

system -k networkservice

svchost.exe

localservice -k localservice

networkservice

clip.log

rb %04/%02d%02d:%02d:%02d

ab+

SOFTWARE\Microsoft

config_ :\ \ %d %d %d %d

config.ini

Guid

Config %08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X

RtlGetVersion

ntdll.dll

Vista

Win2008

Win7

Win2008(R2)

Win8

Win2012

Win8.1

Win2012(R2)

WinXp

Win2003

Win10

Win2016

IsWow64Process

kernel32

open

%d/%d/%d %d:%d

key.log

explorer.exe

/api/v2/ajax

POST

https://%s:%d/api/v2/ajax

\pipe\testpipe

\HKEY_CURRENT_USER\

\HKEY_LOCAL_MACHINE\

config.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

log.log

%s\%d

exe

wb

Kernel32.dll

msiexec.exe

\cmd.exe

ntdll

SeDebugPrivilege

runas

taskmgr

exe

ccc

bbb

aaa

windefende%d

80A85553-1E05-4323-B4F9-43A4396A4507

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36



---End Decrypted Strings---



This configuration allows the malware to connect to its C2, create persistence on the system, log keystrokes and telemetry data, and execute commands from the command line.

The following MITRE ATT&CK tactics and techniques were observed during analysis of these samples.



T1543.003 Persistence: Create or Modify System Process. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.



T1574.002 Hijack Execution Flow: DLL Side-Loading. Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).



T1567.000 Exfiltration: Exfiltration Over Web Service. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.



T1560.000 Collection: Archive Collected Data. An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.