HTTPBrowser

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

HTTPBrowser is a potent form of malware, or malicious software, used to exploit and damage computer systems. It has been deployed by groups such as BRONZE UNION and Wekby to execute tools like PlugX and HTTPBrowser itself, making it difficult for network defenders to detect. The malware can infiltrate systems through dubious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even ransom data. This malware is also known for its low antivirus detection rates, typically relying on heuristic signatures for identification. The malware has been linked to the Wekby group, which often uses HTTPBrowser in its operations. Its use of DNS requests for command and control mechanisms aligns with previous versions of HTTPBrowser. Furthermore, metadata similarities between known HTTPBrowser samples and the discussed pisloader sample suggest that pisloader may be a variant of this malware family. Notably, the payload delivered is usually either the well-known 'PlugX' or 'HttpBrowser' RAT, tools believed to have Chinese origins and used primarily by certain Chinese hacking groups. HTTPBrowser's functionality has evolved over time, with newer versions using SSL with self-signed certificates to encrypt network communications. Threat actors have exploited vulnerabilities in Java Runtime Environment and JBoss to deliver the HTTPBrowser backdoor and compromise assets. The malware's executable code can be obfuscated through structured exception handling and return-oriented programming, adding to its stealth. Also known as TokenControl, HTTPBrowser is notable for HTTPS communications with the hard-coded "HttpBrowser/1.0" User-Agent.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Vulnerability

Exploit

DNS

Malware

exploited

Payload

Antivirus

Rat

Web Shell

Encrypt

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Pisloader	Unspecified	1	Pisloader is a malware family that has been identified and named by Palo Alto Networks. The malware is delivered via HTTP, with the payload contained within an executable file named lsm.exe. Once this file is written and executed, it activates the pisloader payload, which then starts to infect the s
PlugX	Unspecified	1	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Aspxtool	Unspecified	1	ASPXTool is a type of malware, specifically a modified version of the ASPXSpy web shell. This malicious software is designed to infiltrate and exploit computer systems, often entering undetected through suspicious downloads, emails, or websites. Once inside a system, it can steal personal informatio

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Wekby	Unspecified	1	Wekby, also known as APT18, is a threat actor suspected to be based in China. This group has been actively involved in executing malicious activities for several years, targeting a wide range of sectors including Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnolog

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2010-0738	Unspecified	1	None
CVE-2011-3544	Unspecified	1	None

Source Document References

Information about the HTTPBrowser Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Threat Group-3390 Targets Organizations for Cyberespionage
MITRE	a year ago	Emissary Panda – A potential new malicious tool
MITRE	a year ago	BRONZE UNION Cyberespionage Persists Despite Disclosures
MITRE	a year ago	New Wekby Attacks Use DNS Requests As Command and Control Mechanism