HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]
Name | Description |
---|---|
HttpDump |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
HTTPBrowser has used HTTP and HTTPS for command and control.[2][1] |
.004 | Application Layer Protocol: DNS |
HTTPBrowser has used DNS for command and control.[2][1] |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
HTTPBrowser has established persistence by setting the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
HTTPBrowser is capable of spawning a reverse shell on a victim.[2] |
Enterprise | T1083 | File and Directory Discovery |
HTTPBrowser is capable of listing files, folders, and drives on a victim.[2][4] |
|
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[4] |
.002 | Hijack Execution Flow: DLL Side-Loading |
HTTPBrowser has used DLL side-loading.[2] |
||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
HTTPBrowser deletes its original installer file once installation is complete.[4] |
Enterprise | T1105 | Ingress Tool Transfer |
HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
HTTPBrowser is capable of capturing keystrokes on victims.[2] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[4] |
Enterprise | T1027 | Obfuscated Files or Information |
HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[2] |
ID | Name | References |
---|---|---|
G0026 | APT18 | |
G0027 | Threat Group-3390 |