HyperStack Backdoor
The HyperStack Backdoor is a malware threat utilized by an Advanced Persistent Threat (APT) called Turla. The same group of state-sponsored hackers has quite a few different names during its more than a decade of threatening operations. The infosec community has identified the Turla group as Ouroboros, Snake, Venomous Bea and Waterbug. With links to Russia, the hackers have been specializing in carrying out attack campaigns against government institutions, military and diplomatic entities. In a recent attack against a European government, the hackers unleashed several update malware tools alongside their traditional arsenal. One of the threats that have been modified is HyperStack.
The first versions of HyperStack were discovered back in 2018 but back then the threat was not associated with the activities of the Turla APT immediately . In the latest campaign uncovered by the infosec researchers at Accenture Cyber Threat Intelligence, it was found numerous overlapping details between HyperStack and one of the legacy tools of Turla - the Remote Access Trojan threat Carbon.
HyperStack Exploits RPC Calls
The upgraded version of the the HyperStack Backdoor is equipped with the capabilities to execute Remote Procedure Calls (RPC) from the controller to a device carrying the HyperStack client through named pipes. The goal is for the threat to start moving in the already compromised network of the victi laterally. HyperStack attempts to connect to the Inter-Process Communication (IPC) shares of other devices by a null session first, and if that fails, by using default credentials. If the connection is established, HyperStack can forward RPC commands and most likely also drop a copy of itself onto the new device.
Once HyperStack has been dropped onto a computer, it proceeds to create a copy into the 'C:\ADSchemeIntegrity.exe' path and install itself with system-level privileges under the guise of Active Directory Scheme Integrity Service. The threat looks for a specific Registry entry - HKLM\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\NullSessionPipes,
and adds the name of its communication pipe to the key value. A configuration file containing several keys is created at '%SystemRoot%\INF\backport.inf.' The results of any commands received from the Command-and-Control (C2, C&C) server alongside any potential error messages are written in log files with random names stored in the %Temp% directory of the compromised system.
It should be noted that during the attack campaign, Turla also employed a less-sophisticated version of HyperStack. This variant lacked the IPC shares-enumeration functionality retaining only the ability to run commands via named pipes from the controller to the threat client.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.