Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17. [1] [2] [3] [4] [5] [6] [7] [8]

ID: S0203
Aliases: Hydraq, Aurora, 9002 RAT
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Hydraq[2] [3]
Aurora[2] [3]
9002 RAT[1]

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationHydraq creates a backdoor through which remote attackers can adjust token privileges.[9]
EnterpriseT1024Custom Cryptographic ProtocolHydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[9]
EnterpriseT1005Data from Local SystemHydraq creates a backdoor through which remote attackers can read data from files.[3][9]
EnterpriseT1129Execution through Module LoadHydraq creates a backdoor through which remote attackers can load and call DLL functions.[3][9]
EnterpriseT1048Exfiltration Over Alternative ProtocolHydraq connects to a predefined domain on port 443 to exfil gathered information.[9]
EnterpriseT1083File and Directory DiscoveryHydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[3][9]
EnterpriseT1107File DeletionHydraq creates a backdoor through which remote attackers can delete files.[3][9]
EnterpriseT1070Indicator Removal on HostHydraq creates a backdoor through which remote attackers can clear all system event logs.[3][9]
EnterpriseT1112Modify RegistryHydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[3][9]
EnterpriseT1050New ServiceHydraq creates new services to establish persistence.[3][9][10]
EnterpriseT1027Obfuscated Files or InformationHydraq uses basic obfuscation in the form of spaghetti code.[2][3]
EnterpriseT1057Process DiscoveryHydraq creates a backdoor through which remote attackers can monitor processes.[3][9]
EnterpriseT1012Query RegistryHydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[3][9]
EnterpriseT1105Remote File CopyHydraq creates a backdoor through which remote attackers can download files and additional malware components.[3][9]
EnterpriseT1113Screen CaptureHydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[9]
EnterpriseT1035Service ExecutionHydraq uses svchost.exe to execute a malicious DLL included in a new service group.[10]
EnterpriseT1082System Information DiscoveryHydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[9]
EnterpriseT1016System Network Configuration DiscoveryHydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[3][9]
EnterpriseT1007System Service DiscoveryHydraq creates a backdoor through which remote attackers can monitor services.[3][9]

Groups

Groups that use this software:

Axiom
Elderwood

References