HTTPBrowser

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
HTTPBrowser is a potent form of malware, or malicious software, used to exploit and damage computer systems. It has been deployed by groups such as BRONZE UNION and Wekby to execute tools like PlugX and HTTPBrowser itself, making it difficult for network defenders to detect. The malware can infiltrate systems through dubious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even ransom data. This malware is also known for its low antivirus detection rates, typically relying on heuristic signatures for identification. The malware has been linked to the Wekby group, which often uses HTTPBrowser in its operations. Its use of DNS requests for command and control mechanisms aligns with previous versions of HTTPBrowser. Furthermore, metadata similarities between known HTTPBrowser samples and the discussed pisloader sample suggest that pisloader may be a variant of this malware family. Notably, the payload delivered is usually either the well-known 'PlugX' or 'HttpBrowser' RAT, tools believed to have Chinese origins and used primarily by certain Chinese hacking groups. HTTPBrowser's functionality has evolved over time, with newer versions using SSL with self-signed certificates to encrypt network communications. Threat actors have exploited vulnerabilities in Java Runtime Environment and JBoss to deliver the HTTPBrowser backdoor and compromise assets. The malware's executable code can be obfuscated through structured exception handling and return-oriented programming, adding to its stealth. Also known as TokenControl, HTTPBrowser is notable for HTTPS communications with the hard-coded "HttpBrowser/1.0" User-Agent.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HTTPBrowser Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Threat Group-3390 Targets Organizations for Cyberespionage
MITRE
a year ago
New Wekby Attacks Use DNS Requests As Command and Control Mechanism
MITRE
a year ago
Emissary Panda – A potential new malicious tool
MITRE
a year ago
BRONZE UNION Cyberespionage Persists Despite Disclosures