Analysis Reports

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with HyperBro, a Remote Access Trojan (RAT). CISA obtained HyperBro malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.

CISA analyzed 4 files associated with HyperBro malware. The files creates a backdoor program that is capable of uploading and downloading files to and from the system. The RAT is also capable of logging keystrokes and executing commands on the system.

For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the STIX version of this report: MAR-10365227-2.v1 249B

Submitted Files (4)

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 (vftrace.dll)

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (msmpeng.exe)

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230 (config.ini)

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780 (thumb.dat)

IPs (1)

104.168.236.46

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348

Tags

loader

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll.

The program is also capable of bypassing User Account Controls (UAC) on the system by disabling Admin Approval Mode in User Account Controls Group Policy in HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem. This can allow the malware to run with Admin privileges, or allow remote logon (RDP) with full Admin privileges.

52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7

Tags

trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This DLL is side-loaded by df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 detailed in this report.

When the DLL is executed it will create a Globally Unique Identifier (GUID) to identify the system to the command and control (C2) during communication. The GUID is written to a file called 'Config.ini' and placed in the current directory.

The program will decrypt and read a configuration file called 'thumb.dat' that instructs it to spawn a new instance of the Service Host Process (svchost.exe) and inject itself into the new instance. Svchost.exe is run with the -k netsvcs parameter to allow the malware to connect to its C2. The malware collects the following information to send to the C2 via POST when establishing a connection.

---Begin Collected Information---
Computer Name
IP Address
Path to the malware location
Process name that it is running in (svchost.exe)
Mode
Name of the malware
GUID
---End Collected Information---

During analysis, the malware attempted to connect to the Uniform Resource Identifier (URI), hxxps[:]//104.168.236.46/api/v2/ajax using the fixed User-Agent string Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36.

To achieve persistence on the system, the program creates a service in the registry called ‘Windows Defenders Service’ that starts automatically when the user logs on.

---Begin Registry Settings---
HKLMSystemCurrentControlSetserviceswindefendersType. Data: 272
HKLMSystemCurrentControlSetserviceswindefendersStart. Data: 2
HKLMSystemCurrentControlSetserviceswindefendersErrorControl. Data: 1
HKLMSystemCurrentControlSetserviceswindefendersImagePath    Data: “C:Program Files (x86)Common Fileswindefendersmsmpenge.exe"
HKLMSystemCurrentControlSetserviceswindefendersDisplayName    Data: Windows Defenders
HKLMSystemCurrentControlSetserviceswindefendersWOW64. Data: 1
HKLMSystemCurrentControlSetserviceswindefendersObjectName. Data: LocalSystem
HKLMSystemCurrentControlSetserviceswindefende37337060DeleteFlag. Data: 1
HKLMSystemCurrentControlSetserviceswindefende37337060Start. Data: 4
HKLMSystemCurrentControlSetserviceswindefendersDescription    Data: Windows Defenders Service
---End Registry Settings---

It may also create an autorun entry in the registry at HKLMSoftwareMicrosoftWindowsCurrent VersionRun.

The malware creates a hidden folder called ‘windefenders’ in the path C:Program Files (x86)Common Files where it will copy the PE file ‘msmpeng.exe’ along with the GUID file, ‘config.ini’, the malicious library ‘vftrace.dll’, and the encrypted configuration file ‘thumb.dat’. A second hidden folder called ‘windefenders’ is also created in the path C:ProgramData. This folder holds another instance of the PE file.

The program is capable of logging keystrokes, uploading and downloading files, and will also invoke RpcServerListen to wait for incoming Remote Procedure Call (RPC) connections. It will also open a pipe called ‘DeviceNamedPipetestpipe’ that it uses to pass commands from its daemon to any worker processes it may set up.

104.168.236.46

Tags

command-and-control

URLs

• hxxps[:]//104.168.236.46/api/v2/ajax

Ports

• 443 TCP

Whois

Domain Name: HOSTWINDSDNS.COM
Registry Domain ID: 1655837964_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-06-25T06:27:14Z
Creation Date: 2011-05-12T23:01:53Z
Registry Expiry Date: 2029-05-12T23:01:53Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.HOSTWINDSDNS.COM
Name Server: DNS2.HOSTWINDSDNS.COM
Name Server: DNS3.HOSTWINDSDNS.COM
Name Server: DNS4.HOSTWINDSDNS.COM
DNSSEC: unsigned

Domain name: hostwindsdns.com
Registry Domain ID: 1655837964_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2020-04-27T12:40:10.00Z
Creation Date: 2011-05-12T23:01:53.00Z
Registrar Registration Expiration Date: 2029-05-12T23:01:53.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Redacted for Privacy Purposes
Registrant Name: Redacted for Privacy Purposes
Registrant Organization: Redacted for Privacy Purposes
Registrant Street: Redacted for Privacy Purposes
Registrant City: Redacted for Privacy Purposes
Registrant State/Province: WA
Registrant Postal Code: Redacted for Privacy Purposes
Registrant Country: US
Registrant Phone: Redacted for Privacy Purposes
Registrant Phone Ext: Redacted for Privacy Purposes
Registrant Fax: Redacted for Privacy Purposes
Registrant Fax Ext: Redacted for Privacy Purposes
Registrant Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Registry Admin ID: Redacted for Privacy Purposes
Admin Name: Redacted for Privacy Purposes
Admin Organization: Redacted for Privacy Purposes
Admin Street: Redacted for Privacy Purposes
Admin City: Redacted for Privacy Purposes
Admin State/Province: Redacted for Privacy Purposes
Admin Postal Code: Redacted for Privacy Purposes
Admin Country: Redacted for Privacy Purposes
Admin Phone: Redacted for Privacy Purposes
Admin Phone Ext: Redacted for Privacy Purposes
Admin Fax: Redacted for Privacy Purposes
Admin Fax Ext: Redacted for Privacy Purposes
Admin Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Registry Tech ID: Redacted for Privacy Purposes
Tech Name: Redacted for Privacy Purposes
Tech Organization: Redacted for Privacy Purposes
Tech Street: Redacted for Privacy Purposes
Tech City: Redacted for Privacy Purposes
Tech State/Province: Redacted for Privacy Purposes
Tech Postal Code: Redacted for Privacy Purposes
Tech Country: Redacted for Privacy Purposes
Tech Phone: Redacted for Privacy Purposes
Tech Phone Ext: Redacted for Privacy Purposes
Tech Fax: Redacted for Privacy Purposes
Tech Fax Ext: Redacted for Privacy Purposes
Tech Email: Select Contact Domain Holder link at https://www.namecheap.com/domains/whois/result?domain=hostwindsdns.com
Name Server: dns1.hostwindsdns.com
Name Server: dns2.hostwindsdns.com
Name Server: dns3.hostwindsdns.com
Name Server: dns4.hostwindsdns.com
DNSSEC: unsigned

Relationships

Description

During analysis, the file vftrace.dll attempted to connect to this domain.

f1a2791eebaea183f399110c9e8ae11c67f5bebf93a5573d1ac3c56fc71b2230

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact contains a GUID that is generated by the malware to uniquely identify the system during communication with the C2.

f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780

Tags

backdoorkeylogger

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This artifact is the encrypted configuration data that is read by 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 detailed in this report. The decrypted strings in the configuration are listed below:

---Begin Decrypted Strings---
system -k networkservice
svchost.exe
localservice -k localservice
networkservice
clip.log
rb %04/%02d%02d:%02d:%02d
ab+
SOFTWAREMicrosoft
config_ : %d %d %d %d
config.ini
Guid
Config %08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X
RtlGetVersion
ntdll.dll
Vista
Win2008
Win7
Win2008(R2)
Win8
Win2012
Win8.1
Win2012(R2)
WinXp
Win2003
Win10
Win2016
IsWow64Process
kernel32
open
%d/%d/%d %d:%d
key.log
explorer.exe
/api/v2/ajax
POST
https://%s:%d/api/v2/ajax
pipetestpipe
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
config.ini
SOFTWAREMicrosoftWindowsCurrentVersionRun
log.log
%s%d
exe
wb
Kernel32.dll
msiexec.exe
cmd.exe
ntdll
SeDebugPrivilege
runas
taskmgr
exe
ccc
bbb
aaa
windefende%d
80A85553-1E05-4323-B4F9-43A4396A4507
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

---End Decrypted Strings---

This configuration allows the malware to connect to its C2, create persistence on the system, log keystrokes and telemetry data, and execute commands from the command line.

The following MITRE ATT&CK tactics and techniques were observed during analysis of these samples.

T1543.003 Persistence: Create or Modify System Process. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.

T1574.002 Hijack Execution Flow: DLL Side-Loading. Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

T1567.000 Exfiltration: Exfiltration Over Web Service. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

T1560.000 Collection: Archive Collected Data. An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Service Desk (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.