HIsoka Malware

The Hisoka Malware, also known as the Hisoka Backdoor Trojan, is a hacking tool utilized in attacks against Kuwait-based companies and organizations recently. The campaign involved the use of a spectacular new hacking tool called xHunt, and the Hisoka Malware was a vital part of the attack chain. So far, the Hisoka Malware has not been observed in other campaigns, but it is very likely that the criminals will soon opt to reuse it. Cybersecurity researchers note that the Hisoka Malware received two significant updates during the campaigns targeting Kuwait, so it is secure to assume that the authors of the project have big plans for its future.

The first sample of the Hisoka Malware to be discovered was called version '0.8', but it was not long before cybersecurity experts identified another variant that appeared to be called '0.9' by the cybercriminals. The only distinguishable difference between the two variants is that the latter was able to use email drafts to exfiltrate data and receive commands. Using emails as an alternative Command & Control server is not a new thing among cybercriminals. Still, it is surprising that the Hisoka Malware can be controlled via HTTP, DNS and email, certainly.

The email communication of Hisoka Malware is executed via email drafts. Both the payload and the actor are logged into the same account. The payload continuously scans the 'Drafts' section for new content. The body of the email drafts contains an encoded command that the Hisoka Malware is meant to execute. The output of the command may be returned to the attacker via another draft, and the Hisoka Malware also can use email attachments to collect files.

The profile of the targets and the configuration of the network infrastructure used by the xHunt and Hisoka threats have turned the OilRig APT the prime suspect believed to be behind this campaign.