Threat Research

MAR-10365227-2.v1 – Impacket 2 | CISA

Securonix

Cybersecurity analysts from CISA analyzed HyperBro malware samples linked to a Defense Industrial Base incident, detailing a backdoor capable of file transfer, keystroke logging, and remote command execution. The report covers four analyzed files, a C2 endpoint at 104.168.236.46, and a DLL side-loading chain involving vf_host.exe and vftrace.dll, including UAC bypass and persistence mechanisms. #HyperBro #Viewfinity

Keypoints

  • The Malware Analysis Report analyzes four HyperBro files associated with a Defense Industrial Base (DIB) organization compromised by an APT actor, showing backdoor capabilities to upload/download files, log keystrokes, and execute commands.
  • vf_host.exe (from Viewfinity) loads a malicious DLL (vftrace.dll) to enable the intrusion, and the artifact can bypass User Account Control by disabling Admin Approval Mode via registry/group policy adjustments.
  • Persistence is achieved by creating a Windows service named Windows Defenders Service that starts on logon, with registry entries under HKLMSystemCurrentControlSetserviceswindefenders.
  • The malware communicates with a C2 endpoint at 104.168.236.46, including a POST pattern to a URI (hxxps://104.168.236.46/api/v2/ajax) using a fixed User-Agent string.
  • Exfiltration leverages an existing Web service path to send collected data (computer name, IP, path, process, GUID, etc.) to the C2.
  • The report lists IOCs including a set of file hashes, an IP address, domain hostwindsdns.com, and specific file names (vftrace.dll, msmpeng.exe, config.ini, thumb.dat).
  • The MITRE ATT&CK techniques observed include DLL side-loading, Windows service persistence, exfiltration over web services, and data collection/compression prior to exfiltration.

MITRE Techniques

  • [T1543.003] Persistence: Create or Modify System Process – The malware creates a Windows service to start automatically and sustain execution. ‘Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.’
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The artifact uses a legitimate application to load a malicious DLL. ‘This artifact is a version of vf_host.exe from Viewfinity. The file is used to side-load the malicious dynamic-link library (DLL), vftrace.dll.’
  • [T1567.000] Exfiltration: Exfiltration Over Web Service – The malware exfiltrates data via an existing external Web service to hide the C2 channel. ‘Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.’
  • [T1560.000] Collection: Archive Collected Data – Data collected prior to exfiltration may be compressed/encrypted. ‘An adversary may compress and/or encrypt data that is collected prior to exfiltration.’

Indicators of Compromise

  • [IP] Command-and-control endpoint – 104.168.236.46
  • [Domain] Domain used by C2 – hostwindsdns.com
  • [URL] Exfiltration/Command channel – hxxps://104.168.236.46/api/v2/ajax
  • [File hash] Hashes – df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348, 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
  • [File name] Filenames – vf_host.exe, msmpeng.exe, config.ini, thumb.dat

Read more: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint