Hydraq
Associated Software Descriptions
| Name | Description |
|---|---|
| Roarur | |
| MdmBot | |
| HomeUnix | |
| Homux | |
| HidraQ | |
| HydraQ | |
| McRat | |
| Aurora | |
| 9002 RAT |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Hydraq creates a backdoor through which remote attackers can read data from files.[3][10] |
|
| Enterprise | T1112 | 修改注册表 |
Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[3][10] |
|
| Enterprise | T1129 | 共享模块 |
Hydraq creates a backdoor through which remote attackers can load and call DLL functions.[3][10] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Hydraq creates new services to establish persistence.[3][10][11] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[10] |
| Enterprise | T1113 | 屏幕捕获 |
Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[10] |
|
| Enterprise | T1083 | 文件和目录发现 |
Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[3][10] |
|
| Enterprise | T1048 | 替代协议渗出 |
Hydraq connects to a predefined domain on port 443 to exfil gathered information.[10] |
|
| Enterprise | T1012 | 查询注册表 |
Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[3][10] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Hydraq uses basic obfuscation in the form of spaghetti code.[2][3] |
|
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs |
Hydraq creates a backdoor through which remote attackers can clear all system event logs.[3][10] |
| .004 | 移除指标: File Deletion |
Hydraq creates a backdoor through which remote attackers can delete files.[3][10] |
||
| Enterprise | T1082 | 系统信息发现 |
Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[10] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.[11] |
| Enterprise | T1007 | 系统服务发现 |
Hydraq creates a backdoor through which remote attackers can monitor services.[3][10] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[3][10] |
|
| Enterprise | T1134 | 访问令牌操控 |
Hydraq creates a backdoor through which remote attackers can adjust token privileges.[10] |
|
| Enterprise | T1105 | 输入工具传输 |
Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[3][10] |
|
| Enterprise | T1057 | 进程发现 |
Hydraq creates a backdoor through which remote attackers can monitor processes.[3][10] |
|
Groups That Use This Software
References
- Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.
- Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.
- Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.
- Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.
- Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.