HTTPBrowser is malware that has been used by several threat groups. [1] [2] It is believed to be of Chinese origin. [3]

ID: S0070
Associated Software: Token Control, HttpDump

Platforms: Windows

Version: 1.0

Associated Software Descriptions


Techniques Used

EnterpriseT1059Command-Line InterfaceHTTPBrowser is capable of spawning a reverse shell on a victim.[2]
EnterpriseT1043Commonly Used PortOne HTTPBrowser variant connected to its C2 server over port 8080.[4]
EnterpriseT1038DLL Search Order HijackingHTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[4]
EnterpriseT1073DLL Side-LoadingHTTPBrowser has used DLL side-loading.[2]
EnterpriseT1083File and Directory DiscoveryHTTPBrowser is capable of listing files, folders, and drives on a victim.[2][4]
EnterpriseT1107File DeletionHTTPBrowser deletes its original installer file once installation is complete.[4]
EnterpriseT1056Input CaptureHTTPBrowser is capable of capturing keystrokes on victims.[2]
EnterpriseT1036MasqueradingHTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[4]
EnterpriseT1027Obfuscated Files or InformationHTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[2]
EnterpriseT1060Registry Run Keys / Startup FolderHTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.[4][1]
EnterpriseT1105Remote File CopyHTTPBrowser is capable of writing a file to the compromised system from the C2 server.[2]
EnterpriseT1071Standard Application Layer ProtocolHTTPBrowser has used HTTP, HTTPS, and DNS for command and control.[2][1]


Groups that use this software:

Threat Group-3390