1. Home
  2. Software
  3. HyperBro

HyperBro

HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]

ID: S0398
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 09 July 2019
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HyperBro has used HTTPS for C2 communications.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

HyperBro has the ability to delete a specified file.[1]
Enterprise T1105 Ingress Tool Transfer

HyperBro has the ability to download additional files.[1]
Enterprise T1106 Native API

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[1]
Enterprise T1055 Process Injection

HyperBro can run shellcode it injects into a newly created process.[1]
Enterprise T1113 Screen Capture

HyperBro has the ability to take screenshots.[1]
Enterprise T1007 System Service Discovery

HyperBro can list all services and their configurations.[1]
Enterprise T1569 .002 System Services: Service Execution

HyperBro has the ability to start and stop a specified service.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[1][2][3]

References

  1. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  2. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  1. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.