1. Home
  2. Software
  3. HTTPBrowser

HTTPBrowser

HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]

ID: S0070
Associated Software: Token Control, HttpDump
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 20 March 2020
Version Permalink

Associated Software Descriptions

Name Description
HttpDump

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HTTPBrowser has used HTTP and HTTPS for command and control.[2][1]
.004 Application Layer Protocol: DNS

HTTPBrowser has used DNS for command and control.[2][1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn "%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe" to establish persistence.[4][1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HTTPBrowser is capable of spawning a reverse shell on a victim.[2]
Enterprise T1083 File and Directory Discovery

HTTPBrowser is capable of listing files, folders, and drives on a victim.[2][4]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[4]
.002 Hijack Execution Flow: DLL Side-Loading

HTTPBrowser has used DLL side-loading.[2]
Enterprise T1070 .004 Indicator Removal: File Deletion

HTTPBrowser deletes its original installer file once installation is complete.[4]
Enterprise T1105 Ingress Tool Transfer

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[2]
Enterprise T1056 .001 Input Capture: Keylogging

HTTPBrowser is capable of capturing keystrokes on victims.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[4]
Enterprise T1027 Obfuscated Files or Information

HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[2]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[2][5][6][7]
G0026 APT18

[8]

References

  1. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  3. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  4. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  1. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  2. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  3. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  4. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.