Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17. [1] [2] [3] [4] [5] [6] [7] [8]

ID: S0203
Associated Software: Aurora, 9002 RAT
Type: MALWARE
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Aurora [2] [3]
9002 RAT [1]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation Hydraq creates a backdoor through which remote attackers can adjust token privileges.[9]
Enterprise T1024 Custom Cryptographic Protocol Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[9]
Enterprise T1005 Data from Local System Hydraq creates a backdoor through which remote attackers can read data from files.[3][9]
Enterprise T1129 Execution through Module Load Hydraq creates a backdoor through which remote attackers can load and call DLL functions.[3][9]
Enterprise T1048 Exfiltration Over Alternative Protocol Hydraq connects to a predefined domain on port 443 to exfil gathered information.[9]
Enterprise T1083 File and Directory Discovery Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[3][9]
Enterprise T1107 File Deletion Hydraq creates a backdoor through which remote attackers can delete files.[3][9]
Enterprise T1070 Indicator Removal on Host Hydraq creates a backdoor through which remote attackers can clear all system event logs.[3][9]
Enterprise T1112 Modify Registry Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.[3][9]
Enterprise T1050 New Service Hydraq creates new services to establish persistence.[3][9][10]
Enterprise T1027 Obfuscated Files or Information Hydraq uses basic obfuscation in the form of spaghetti code.[2][3]
Enterprise T1057 Process Discovery Hydraq creates a backdoor through which remote attackers can monitor processes.[3][9]
Enterprise T1012 Query Registry Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[3][9]
Enterprise T1105 Remote File Copy Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[3][9]
Enterprise T1113 Screen Capture Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[9]
Enterprise T1035 Service Execution Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.[10]
Enterprise T1082 System Information Discovery Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[9]
Enterprise T1016 System Network Configuration Discovery Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[3][9]
Enterprise T1007 System Service Discovery Hydraq creates a backdoor through which remote attackers can monitor services.[3][9]

Groups

Groups that use this software:

Axiom
Elderwood

References