This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Examining APT27 and the HyperBro RAT

Examining APT27 and the HyperBro RAT

DarrenMccutchen
Frequent Contributor DarrenMccutchen Frequent Contributor
Frequent Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2022-12-10 09:36 AM

Earlier this Fall, the Cybersecurity & Infrastructure Security Agency (CISA) released an Alert Bulletin detailing campaigns perpetrated by several advance persistent threat (APT) groups against a Defense organization(1) . While several of the tools highlighted in the report had ties to several Chinese sponsored cyber groups (China Chopper, CovalentStealer, Impacket), the use of the HyperBro Remote Access Trojan (RAT) pointed to the involvement of one prolific threat group in particular, APT27.

In this blog post, we will review the history of the threat group, highlight well-known attacks attributed to APT27, and use Netwitness to analyze the HyperBro RAT, one of the more widely used pieces of malware in the APT27 toolkit.

 

APT27 Background:

 

APT27 is a sophisticated cyber threat group believed to be sponsored by the Chinese government. Commonly referred to by several aliases including EMISSARY PANDA, Bronze Union, Budworm, Iron Tiger, TG-3390, and Lucky Mouse, APT27 has been targeting victims since at least 2010(2). This group has successfully executed multiple long-term, highly targeted attacks against organizations in multiple industries (defense, technology, energy, manufacturing, among others). Originally, APT27 solely focused their efforts on espionage, infiltrating networks to monitor, gather, and exfiltrate sensitive data. In recent years however, there has been an expansion in tactics towards financially motivated cybercrime, with known APT27 malware used to deliver cryptominers(3) and ransomware(4). Over the course of the APT27’s existence, the group has displayed an ability to gain access using several techniques. Whereas APT27 initially used spearphishing as their main infiltration vector, the group has expanded their capabilities to include exploitation of vulnerabilities on web facing systems(5), compromise of third party applications(6), and supply-chain attacks(7).

 

To conduct their tradecraft, APT27 uses a combination of proprietary malware, malware shared amongst several suspected Chinese cybercrime groups, and publicly available open-source software. The first malware to be associated with an early iteration of the group was the infamous Gh0st RAT from 2009. Since that time, other well-known malware like ZxShell, PlugX, SysUpdate, and HyperBro have been heavily linked to APT27. Additionally, modified versions of legit software such as HTTPBrowser, Impacket, and gsecdump have been used during the group’s intrusions. Due to regular maintenance and updating of their toolset, APT27 has been adept at bypassing traditional security detections. This diverse collection of tools allows APT27 to adapt their tactics as needed, essentially giving the group a “Swiss army knife” to compromise vastly different target environments.

 

Notable Attacks Linked to APT27:

 

  • February 2015 - American health Insurance provider Anthem disclosed it was a victim of a data breach, in which the PII information of 78.8 million people was stolen(8). Post breach analysis revealed the initial access vector as a phishing email sent to an employee a year prior. According to the same report, the breach resulted in Anthem spending $260 million to fix security-related issues and an additional $39 million to settle lawsuits from affected victims. Although this attack was never directly attributed to a nation state, the presence of several APT27 TTPs (including C2 infrastructure and software), made the group the most likely culprit.
  • March 2018 - APT27 compromised the national data center of a Central Asian country(9). While present in the victim network for at least 4 months, the threat group used official websites from the victim to run a watering hole attack. Users who interacted with malicious links hosted on these websites were redirected to APT27 controlled domains and silently downloaded ScanBox and BEeF frameworks to their systems. APT27 tool HyperBro was found on several systems inside of the targeted environment.
  • March 2021 - The BfV German domestic intelligence services released a report alerting on APT27 attacks against German commercial organizations(10). In the documented attacks, APT 27 exploited vulnerabilities in Zoho AdSelf Service Plus software, a self-service password management tool, to gain initial access. Once on the network, the threat group conducted espionage activity by leveraging legitimate software vulnerable to DLL side-loading to load HyperBro RAT in memory.
  • April 2022 - Campaigns against a Middle Eastern government, an electronics manufacturer, a U.S. state legislature, and a Southeast Asian hospital were all attributed to APT27(11). In these attacks, APT27 took advantage of the Log4j vulnerabilities to install web shells on web servers. Again, APT27 deployed its HyperBro RAT by dropping a copy of legitimate software (In these instances, CyberArk Viewfinity was used) on victim systems and DLL side-loading the payload in memory.

HyperBro - APT27's Premier Payload:

 

Across recent intrusions linked to APT27, the most witnessed piece of malware is the HyperBro RAT. HyperBro is an in-memory remote access trojan used by APT27 for backdoor access on targeted systems. HyperBro abuses DLL side-loading to compromise victim systems (Bitdefender has an excellent write-up on DLL side-loading here(12)). Once on the target host, an attacker drops two files into a directory of their choosing: a legitimate signed executable vulnerable to side-loading attack and a malicious loader DLL. Once the executable is executed, the malicious DLL is side-loaded and executed, which in turn loads the HyperBro payload. The payload is then decoded and loaded into memory. With HyperBro running on a system, attackers can execute commands both locally and remotely, log keystrokes, screen capture, and modify services, processes, files, and the registry.

 

Analyzing HyperBro with Netwitness:

 

For a better understanding of how a HyperBro attack works, we used Netwitness to analyze the artifacts mentioned in CISA’s latest HyperBro briefing. To setup our detonation environment we used a Windows 10 hosts and then placed copies of the following files in a Desktop folder named HB-Test:

  • vf_host.exe – The legit software CyberArk Viewfinity
    • SHA256: df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
  • vftrace.dll – The malicious DLL side-loaded by Viewfinity. This contains the HyperBro payload
    • SHA256: 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
  • thumb.dat – The config file which instructs the HyperBro payload how to operate
    • SHA256: f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780

 

Once vf_host.exe is executed on our “victim” system, vftrace.dll is run via side-loading (MITRE: T1574.002 - Hijack Execution Flow: DLL Side-Loading). On the host, the other files are then deleted from the HB-Test folder.

 

 

HB-Test Files gone.png

 

HyperBro files removed from original folder HB-Test

 

At the same time, vf_host.exe drops copies of the previously removed files vftrace.dll and thumb.dat in a newly created hidden directory C:\ProgramData\windefenders (T1564.001 - Hide Artifacts: Hidden Files and Directories). A copy of vf_host.exe is renamed to msmpeng.exe and is also placed in the new windefenders directory along with a file config.ini which contains system identification information to be used in later command-and-control (C2) communications.

 

All files copied to windefenders.png

 

HyperBro files copied to C:\ProgramData/windefenders

 

In our Netwitness SIEM we can see the ‘renameToExecutable’ and ‘writeToExecutable’ events related to this activity.

 

NW1.png

 vf_host.exe moves vftrace.dll to C:\ProgramData\windefenders

 

NW2.jpg

 

vf_host.exe makes copy of itself, named msmpeng.exe, to C:\ProgramData\windefenders

 

After decoding thumb.dat (MITRE: T1140 - Deobfuscate/Decode Files or Information), HyperBro will spawn a new svchost.exe and inject itself into the process (MITRE: T1055 – Process Injection). The next step is for HyperBro to gain persistence, which it accomplishes by adding an entry for windefenders to the Startup Run registry key (MITRE: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).

 

Registry Run Key.jpg

 

windefenders added to Startup Run Registry key for persistence

 

Looking back on our SIEM, we see the corresponding ‘createRegistryValue’ activity in our threat lab SIEM.

 

NWThree.png

 

Netwitness captures registry edit made by HyperBro

 

The last activity seen in Netwitness is the attempted network connection to the C2 server 104.168.236.43 mentioned in the CISA report (MITRE: T1071.001 - Application Layer Protocol: Web Protocols).

 

NW4.png

 

HyperBro C2 communication attempt

 

Conclusion:

 

APT27 is a highly skilled adversary with no indication of stopping anytime soon. Because of its ability to quickly weaponize novel tools and methods of intrusion, the group seems poised to continue operations across multiple sectors and geographical regions. It will be interesting to see if the financial motivation displayed by APT27 in recent attacks will continue or if the group will revert to an espionage only model.

 

The following App Rules, currently on Netwitness Live, should help organizations identify suspicious HyperBro activity with Netwitness Endpoint:

 

  • Hijacked DLL Loads HyperBro Payload
  • HyperBro Registry Creation
  • HyperBro Files Dropped (windefenders)
  • Possible HyperBro Named Pipe

In addition, the HTTP Lua Parser has been updated with the following detections:

  • HyperBro C2
  • HyperBro download

References:

 

(1) https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

(2) https://attack.mitre.org/groups/G0027/

(3) https://thehackernews.com/2018/02/cyber-espionage-asia.html

(4) https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/

(5) https://www.hvs-consulting.de/public/ThreatReport-EmissaryPanda.pdf

(6) https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf 

(7) https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

(8) https://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html

(9) https://securelist.com/luckymouse-hits-national-data-center/86083/

(10) https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf;jsessionid=DD8B1B9E764E2A09F4E9DABC127695C1.intranet232?__blob=publicationFile&v=10

(11) https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state

(12) https://businessinsights.bitdefender.com/tech-explainer-what-is-dll-sideloading

 

  • APT27
  • HyperBro
  • mitre
  • NetWitness Endpoint
  • netwitness live
  • threat detection
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • FirstWatch Threat Spotlight: Truly Asynchronous AsyncRAT
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
  • FirstWatch Threat Spotlight: APT-C-36
  • Integration of OPSWAT MetaAccess with Netwitness
  • DCSync Detection with NetWitness
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
Labels
  • Announcements 60
  • Events 4
  • Features 10
  • Integrations 8
  • Resources 63
  • Tutorials 27
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.