The HyperBro remote access trojan (RAT) is a malware that has been around since 2017 and heavily utilized by the APT27 threat group, to whom are believed to be sponsored by the Chinese government. APT27, also known as Emissary Panda, has been executing multiple long-term and very targeted attacks against organizations in several industries. The threat group have expanded their capabilities to include financially motivated cybercrime, with previous motivations being espionage and data gathering/exfiltration. The uses a combination of proprietary malware, malware shared amongst several suspected Chinese cybercrime groups, and publicly available open-source software to conduct their tradecraft, allowing them to adapt their tactics as needed. In particular, the HyperBro RAT has been prominently used by the threat group and continues to be used in their operations to date.
As mentioned previously, HyperBro is a remote access trojan, which goals are to achieve backdoor access to a victim’s system in order to execute commands remotely (or locally) and maliciously run commands, modify services or processes, or even log/monitor keystrokes and user activity. In particular, the trojan abuses DLL side-loading in order to compromise the targeted system, and eventually lead to the payload being loaded into memory. With this malware being observed across recent intrusions conducted by APT27, it is important to assess, understand and prepare for this tool as it evolves and continues to spread.
The HyperBro remote access trojan (RAT) is utilized in the toolkit of the threat group APT27, in order to achieve backdoor access on targeted systems. The group is known for spear phishing or the exploitation of internet facing applications for initial access into networks. Observations of the malware’s behavior during stage 1 of infection show that it abuses a legitimate executable such as MsMpEng.exe in order to side-load a malicious DLL stored in the same directory as the .exe. Following the .dll file being loaded, the malware decrypts thumb.dat in order to extract the HyperBro backdoor payload.
Once the payload is executed, the infection allows remote access and control over compromised machines. It has been observed to collect device data, attempts to gain full admin privileges, and ensures persistence by auto-starting upon user log-in. It can also steal files and data through keylogging and can upload and execute them, potentially causing chain infections with additional malicious programs. The presence of HyperBro on devices can lead to multiple system infections, data loss, privacy issues, financial losses, and even identity theft.
Due to HyperBro being a longstanding malware variant that is actively utilized by threat groups such as APT27, Cyborg Security will be updating the Threat Hunt Packages if the variant evolves as researchers continue to observe its activity.