The HyperBro malware is a proprietary hacking tool that is used by the Chinese-speaking APT group LuckyMouse (also known as APT27 in the cybersecurity field). This group of criminals has been involved in numerous campaigns against high-profile targets, and they are known to leverage a broad range of public and private hacking tools to achieve their goals. One of the recent attacks carried out by LuckyMouse targeted a data center situated in Central Asia, and it is believed that the compromised network was used by a large number of government officials to exchange confidential data and documents. Cybersecurity experts suspect that the LuckyMouse hackers used the compromised system to gain access to private government resources, as well as to set up a potential watering hole attack against government bodies.
Regretfully, there is not enough information to determine what infection vector was used by the LuckyMouse members to plant the HyperBro Remote Access Trojan (RAT) on the compromised data center. In previous campaigns, the LuckyMouse members relied on macro-laced office documents to reach their targets, but there is not adequate evidence to confirm that the same technique was used in this particular attack.
What is special about the HyperBro Trojan is that it is loaded into a legitimate copy of the ‘svchost.exe’ process on the infected Host, therefore minimizing the file footprint it leaves on the infected system. This not only makes it harder to follow the malware’s traces after it has been removed from the computer, but it also may make it more difficult for anti-virus solutions to spot and halt the threatening activity.
The HyperBro RAT is controlled via a Command & Control (C&C) server that is situated in a rather interesting region – despite being a Chinese campaign, the C&C server was hosted on a MikroTik router found in Ukraine. This is likely to mean that the attackers are using a hijacked router to control their malware and add a layer of anonymity between them and the target. The C&C server is used both for control and data exfiltration so that it makes it even harder to track the steps and actions of the attackers.
The HyperBro RAT is likely to contain some basic features such as the ability to execute remote commands on the compromised host, as well as to browse and modify file directories (file upload and download). The HyperBro’s features are likely to be limited because it attempts to stay under the radar and operate in the memory instead of on the hard disk. The scale of the watering hole attack carried out with the use of the compromised data center is not known yet, but it is certain that we will learn more about it in the upcoming weeks.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to HyperBro may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.