1. Home
  2. Software
  3. Hydraq

Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[1][2][3][4][5][6][7][8]

ID: S0203
Associated Software: Roarur, MdmBot, HomeUnix, Homux, HidraQ, HydraQ, McRat, Aurora, 9002 RAT
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 18 April 2018
Last Modified: 20 March 2023
Version Permalink

Associated Software Descriptions

Name Description
Roarur

[9]
MdmBot

[9]
HomeUnix

[9]
Homux

[9]
HidraQ

[9]
HydraQ

[9]
McRat

[9]
Aurora

[2][3]
9002 RAT

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Hydraq creates a backdoor through which remote attackers can adjust token privileges.[10]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Hydraq creates new services to establish persistence.[3][10][11]
Enterprise T1005 Data from Local System

Hydraq creates a backdoor through which remote attackers can read data from files.[3][10]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[10]
Enterprise T1048 Exfiltration Over Alternative Protocol

Hydraq connects to a predefined domain on port 443 to exfil gathered information.[10]
Enterprise T1083 File and Directory Discovery

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[3][10]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Hydraq creates a backdoor through which remote attackers can clear all system event logs.[3][10]
.004 Indicator Removal: File Deletion

Hydraq creates a backdoor through which remote attackers can delete files.[3][10]
Enterprise T1105 Ingress Tool Transfer

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[3][10]
Enterprise T1112 Modify Registry

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[3][10]
Enterprise T1027 Obfuscated Files or Information

Hydraq uses basic obfuscation in the form of spaghetti code.[2][3]
Enterprise T1057 Process Discovery

Hydraq creates a backdoor through which remote attackers can monitor processes.[3][10]
Enterprise T1012 Query Registry

Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[3][10]
Enterprise T1113 Screen Capture

Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[10]
Enterprise T1129 Shared Modules

Hydraq creates a backdoor through which remote attackers can load and call DLL functions.[3][10]
Enterprise T1082 System Information Discovery

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[10]
Enterprise T1016 System Network Configuration Discovery

Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[3][10]
Enterprise T1007 System Service Discovery

Hydraq creates a backdoor through which remote attackers can monitor services.[3][10]
Enterprise T1569 .002 System Services: Service Execution

Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.[11]

Groups That Use This Software

ID Name References
G0066 Elderwood

[2]
G0001 Axiom

[9][12]

References

  1. Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.
  2. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  3. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  4. ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.
  5. Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.
  6. Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.
  1. Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.
  2. Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.
  3. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  4. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  5. Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018.
  6. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.