SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hyperbro (Back to overview)

HyperBro

Actor(s): EMISSARY PANDA


HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within.

References
2023-07-18MandiantMandiant Intelligence
@online{intelligence:20230718:stealth:789e8b1, author = {Mandiant Intelligence}, title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}}, date = {2023-07-18}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics}, language = {English}, urldate = {2023-07-19} } Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2022-10-18IntrinsecIntrinsec, CERT Intrinsec
@online{intrinsec:20221018:apt27:1977039, author = {Intrinsec and CERT Intrinsec}, title = {{APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis}}, date = {2022-10-18}, organization = {Intrinsec}, url = {https://www.intrinsec.com/apt27-analysis/}, language = {English}, urldate = {2022-11-07} } APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
HyperBro MimiKatz
2022-08-12Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20220812:iron:c55d0cd, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users}}, date = {2022-08-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html}, language = {English}, urldate = {2022-08-18} } Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users
Rshell HyperBro
2022-08-12Trend MicroDaniel Lunghi, Jaromír Hořejší
@online{lunghi:20220812:iron:38c15d7, author = {Daniel Lunghi and Jaromír Hořejší}, title = {{Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs)}}, date = {2022-08-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt}, language = {English}, urldate = {2022-08-18} } Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (IOCs)
HyperBro
2022-08-12SekoiaThreat & Detection Research Team
@online{team:20220812:luckymouse:2667f45, author = {Threat & Detection Research Team}, title = {{LuckyMouse uses a backdoored Electron app to target MacOS}}, date = {2022-08-12}, organization = {Sekoia}, url = {https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/}, language = {English}, urldate = {2022-08-18} } LuckyMouse uses a backdoored Electron app to target MacOS
HyperBro
2022-02-07CywareCyware
@online{cyware:20220207:apt27:e900fc7, author = {Cyware}, title = {{APT27 Group Targets German Organizations with HyperBro}}, date = {2022-02-07}, organization = {Cyware}, url = {https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/}, language = {English}, urldate = {2022-02-09} } APT27 Group Targets German Organizations with HyperBro
HyperBro
2022-01-26BleepingComputerSergiu Gatlan
@online{gatlan:20220126:german:06fb2dc, author = {Sergiu Gatlan}, title = {{German govt warns of APT27 hackers backdooring business networks}}, date = {2022-01-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/}, language = {English}, urldate = {2022-01-31} } German govt warns of APT27 hackers backdooring business networks
HyperBro
2022-01-26Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@online{verfassungsschutz:20220126:current:de1a6be, author = {Bundesamt für Verfassungsschutz}, title = {{Current cyber attack campaign against German business enterprises by APT27}}, date = {2022-01-26}, organization = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10}, language = {English}, urldate = {2022-01-31} } Current cyber attack campaign against German business enterprises by APT27
HyperBro
2021-08-10FireEyeIsrael Research Team, U.S. Threat Intel Team
@online{team:20210810:unc215:dbc483a, author = {Israel Research Team and U.S. Threat Intel Team}, title = {{UNC215: Spotlight on a Chinese Espionage Campaign in Israel}}, date = {2021-08-10}, organization = {FireEye}, url = {https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel}, language = {English}, urldate = {2021-12-06} } UNC215: Spotlight on a Chinese Espionage Campaign in Israel
HyperBro HyperSSL MimiKatz
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2021-04-09Trend MicroDaniel Lunghi, Kenney Lu
@online{lunghi:20210409:iron:402e62f, author = {Daniel Lunghi and Kenney Lu}, title = {{Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware}}, date = {2021-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html}, language = {English}, urldate = {2021-04-09} } Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
HyperBro HyperSSL APT27
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0df1b72, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop}, language = {English}, urldate = {2022-07-29} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX Tmanger TA428
2020-12-09Avast DecodedLuigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2021-01-27} } APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX PolPo Tmanger
2020-12-09Avast DecodedLuigino Camastra, Igor Morgenstern
@online{camastra:20201209:targeting:d3469a1, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia}, language = {English}, urldate = {2022-07-29} } APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger TA428
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-09-30Team CymruJames Shank, Jacomo Piccolini
@techreport{shank:20200930:pandamic:f210107, author = {James Shank and Jacomo Piccolini}, title = {{Pandamic: Emissary Pandas in the Middle East}}, date = {2020-09-30}, institution = {Team Cymru}, url = {https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf}, language = {English}, urldate = {2021-04-16} } Pandamic: Emissary Pandas in the Middle East
HyperBro HyperSSL
2020-06-03Trend MicroDaniel Lunghi
@techreport{lunghi:20200603:how:4f28e63, author = {Daniel Lunghi}, title = {{How to perform long term monitoring of careless threat actors}}, date = {2020-06-03}, institution = {Trend Micro}, url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf}, language = {English}, urldate = {2020-06-05} } How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT
2020-03-25Team CymruTeam Cymru
@online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } How the Iranian Cyber Security Agency Detects Emissary Panda Malware
HyperBro
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}}, date = {2020-02-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia}, language = {English}, urldate = {2020-02-20} } Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020-01FireEyeTom Hall, Mitchell Clarke, Mandiant
@techreport{hall:202001:mandiant:25e38ef, author = {Tom Hall and Mitchell Clarke and Mandiant}, title = {{Mandiant IR Grab Bag of Attacker Activity}}, date = {2020-01}, institution = {FireEye}, url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf}, language = {English}, urldate = {2021-04-16} } Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2019-06-13ae CERTae CERT
@online{cert:20190613:advanced:5d2e200, author = {ae CERT}, title = {{Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers}}, date = {2019-06-13}, organization = {ae CERT}, url = {https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx}, language = {English}, urldate = {2021-04-16} } Advanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers
HyperBro HyperSSL
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2018-06-13Kaspersky LabsDenis Legezo
@online{legezo:20180613:luckymouse:26f9860, author = {Denis Legezo}, title = {{LuckyMouse hits national data center to organize country-level waterholing campaign}}, date = {2018-06-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-hits-national-data-center/86083/}, language = {English}, urldate = {2019-12-20} } LuckyMouse hits national data center to organize country-level waterholing campaign
HyperBro APT27
Yara Rules
[TLP:WHITE] win_hyperbro_auto (20230715 | Detects win.hyperbro.)
rule win_hyperbro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.hyperbro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c410 52 c7460840000000 c7460402000000 }
            // n = 4, score = 400
            //   83c410               | add                 esp, 0x10
            //   52                   | push                edx
            //   c7460840000000       | mov                 dword ptr [esi + 8], 0x40
            //   c7460402000000       | mov                 dword ptr [esi + 4], 2

        $sequence_1 = { ff15???????? 53 8d4c240c 51 8d5618 894604 }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   51                   | push                ecx
            //   8d5618               | lea                 edx, [esi + 0x18]
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_2 = { 8b462c c706???????? 85c0 7410 50 e8???????? }
            // n = 6, score = 400
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   c706????????         |                     
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 83c404 5f 5e c7450000000000 5d c70200000000 }
            // n = 6, score = 400
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c7450000000000       | mov                 dword ptr [ebp], 0
            //   5d                   | pop                 ebp
            //   c70200000000         | mov                 dword ptr [edx], 0

        $sequence_4 = { 8b5710 52 e8???????? 8b470c 50 e8???????? }
            // n = 6, score = 400
            //   8b5710               | mov                 edx, dword ptr [edi + 0x10]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 8bff 05ff000000 41 3d01feffff 0f878c010000 8bd5 2bd1 }
            // n = 7, score = 400
            //   8bff                 | mov                 edi, edi
            //   05ff000000           | add                 eax, 0xff
            //   41                   | inc                 ecx
            //   3d01feffff           | cmp                 eax, 0xfffffe01
            //   0f878c010000         | ja                  0x192
            //   8bd5                 | mov                 edx, ebp
            //   2bd1                 | sub                 edx, ecx

        $sequence_6 = { 8944242c 89442440 c744243003000000 e8???????? 83c404 6882000000 56 }
            // n = 7, score = 400
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   c744243003000000     | mov                 dword ptr [esp + 0x30], 3
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6882000000           | push                0x82
            //   56                   | push                esi

        $sequence_7 = { 89442458 7d09 3d33270000 7504 }
            // n = 4, score = 400
            //   89442458             | mov                 dword ptr [esp + 0x58], eax
            //   7d09                 | jge                 0xb
            //   3d33270000           | cmp                 eax, 0x2733
            //   7504                 | jne                 6

        $sequence_8 = { 893e 894608 eb09 8b16 03d1 }
            // n = 5, score = 400
            //   893e                 | mov                 dword ptr [esi], edi
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   eb09                 | jmp                 0xb
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   03d1                 | add                 edx, ecx

        $sequence_9 = { 52 8d7c2418 e8???????? 68???????? 8bc7 50 e8???????? }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8d7c2418             | lea                 edi, [esp + 0x18]
            //   e8????????           |                     
            //   68????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 352256
}
Download all Yara Rules