HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
HyperBro can unpack and decrypt its payload prior to execution.[4][5] |
|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1][5] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1106 | Native API |
HyperBro has the ability to run an application ( |
|
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
HyperBro can be delivered encrypted to a compromised host.[4] |
||
Enterprise | T1055 | Process Injection |
HyperBro can run shellcode it injects into a newly created process.[1] |
|
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1007 | System Service Discovery | ||
Enterprise | T1569 | .002 | System Services: Service Execution |
HyperBro has the ability to start and stop a specified service.[1] |