HTTPBrowser

HTTPBrowser is a potent form of malware, or malicious software, used to exploit and damage computer systems. It has been deployed by groups such as BRONZE UNION and Wekby to execute tools like PlugX and HTTPBrowser itself, making it difficult for network defenders to detect. The malware can infiltrate systems through dubious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even ransom data. This malware is also known for its low antivirus detection rates, typically relying on heuristic signatures for identification. The malware has been linked to the Wekby group, which often uses HTTPBrowser in its operations. Its use of DNS requests for command and control mechanisms aligns with previous versions of HTTPBrowser. Furthermore, metadata similarities between known HTTPBrowser samples and the discussed pisloader sample suggest that pisloader may be a variant of this malware family. Notably, the payload delivered is usually either the well-known 'PlugX' or 'HttpBrowser' RAT, tools believed to have Chinese origins and used primarily by certain Chinese hacking groups. HTTPBrowser's functionality has evolved over time, with newer versions using SSL with self-signed certificates to encrypt network communications. Threat actors have exploited vulnerabilities in Java Runtime Environment and JBoss to deliver the HTTPBrowser backdoor and compromise assets. The malware's executable code can be obfuscated through structured exception handling and return-oriented programming, adding to its stealth. Also known as TokenControl, HTTPBrowser is notable for HTTPS communications with the hard-coded "HttpBrowser/1.0" User-Agent.