Hydraq
Hydraq, also known as 9002 RAT, McRat, Aurora, Hidraq, Homeunix/Homux, Mdmbot, and Roarur, is a Windows remote access trojan/backdoor that has been in use since at least 2009 and has historically been associated with state-sponsored activity. It is notably linked to Operation Aurora, the intrusion campaign that targeted Google, Adobe, and at least 34 companies in the technology, financial, and defense sectors. Reporting in the provided content states that the malware used in those attacks was later concluded to be the same code as Trojan.Hydraq. Initial access in Operation Aurora involved exploitation of a zero-day Internet Explorer vulnerability via a malicious website, and some reporting also noted malicious PDF attachments exploiting Adobe Reader/Acrobat vulnerabilities in parts of the broader campaign.
Hydraq creates a backdoor that enables remote attackers to retrieve system information from Registry keys, including CPU speed; monitor services; clear all system event logs; load and call DLL functions; and modify or delete Registry subkeys. It establishes persistence by creating a Registry subkey to register a created service and can later uninstall itself by deleting that value. The malware uses svchost.exe to execute a malicious DLL included in a new service group. Its command-and-control traffic is encrypted using bitwise NOT and XOR operations. The malware also includes a VNC-based component capable of streaming a live feed of the infected host’s desktop.
The content also associates 9002 RAT/Hydraq/McRat with later China-linked espionage activity, including use by Webworm and references to APT17 activity against Italy. Webworm was reported to have used customized versions of 9002 RAT alongside Trochilus and Gh0st RAT, and Symantec noted that Webworm modified the 9002 RAT communication protocol, including encryption details, to evade detection. Targeting associated with these reports includes government agencies and enterprises in IT services, aerospace, and electric power, including organizations in Russia, Georgia, Mongolia, other Asian countries, and later Europe. High-confidence behavioral indicators from the content include service-based persistence via Registry service registration, execution through svchost.exe, encrypted C2 using NOT/XOR operations, Registry interaction for host profiling and persistence management, service monitoring, event log clearing, DLL loading/invocation, and VNC-style desktop streaming.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
FireEye recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer zero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. ... If a visitor to one of these compromised website was running Internet Explorer 8.0 the malicious javascript would redirect them to a page at www[.]sunshop[.]com[.]tw hosting a CVE-2013-1347 exploit. ... The Internet Explorer (CVE-2013-1347) exploit code pulled down a “9002” RAT from another compromised site at hk[.]sz181[.]com.
The java exploits were packaged as two different jar files. One jar file had a MD5 of f4bee1e845137531f18c226d118e06d7 and exploited CVE-2013-2423. The jar that exploited CVE-2013-2423 dropped a 9002 RAT with a MD5 of d99ed31af1e0ad6fb5bf0f116063e91f. This RAT connected to a command and control server at asp[.]homesvr[.]linkpc[.]net.
The second jar file had a MD5 of 3fbb7321d8610c6e2d990bb25ce34bec and exploited CVE-2013-1493. ... The jar that exploited CVE-2013-1493 dropped a 9002 RAT with a MD5 of 42bd5e7e8f74c15873ff0f4a9ce974cd. ... The exploit site at sunshop[.]com[.]tw previously hosted a different malicious jar file on April 2, 2013. This jar file had a MD5 of 51aff823274e9d12b1a9a4bbbaf8ce00. It exploited CVE-2013-1493 and dropped a Poison Ivy RAT.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The 9002 RAT appears to have been in use since at least 2009 and has historically been used by state-sponsored actors. The malware provides attackers with extensive data exfiltration capabilities.
The 9002 RAT appears to have been in use since at least 2009 and has historically been used by state-sponsored actors. The malware provides attackers with extensive data exfiltration capabilities.
"MoonTag samples match a YARA rule named 'MAL_APT_9002_SabrePanda' that detects samples from the 9002 RAT malware family..."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueAlthough the initial attack occurred when company employees visited a malicious website... Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently.
Execution
5 techniquesThe initial piece of code was shell code encrypted three times and that activated the exploit.
Astaroth uses the LoadLibraryExW() function to load additional modules. Attor's dispatcher can execute additional plugins by loading the respective DLLs. ... LightSpy's main executable and module .dylib binaries are loaded using ... dlopen() ... dlsym() ... RotaJakiro uses ... .so files ... using dlopen() and dlsym().
In the wake of Threat Level’s Thursday story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies...
Previous research on the group’s activity found that it uses custom loaders hidden behind decoy documents...
"Anchor can create and execute services to load its payload"; "APT32's backdoor has used Windows services as a way to execute its malicious payload"; "Ragnar Locker has used sc.exe to execute a service that it creates"; "Shamoon creates a new service named 'ntssrv' to execute the payload"
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Privilege Escalation
2 techniquesThe malware then injects svchost.exe with the ability to: Execute commands Download potentially malicious files
Stealth
5 techniquesThe malware then injects svchost.exe with the ability to: Execute commands Download potentially malicious files
“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Then the file unpacks and executes in memory its backdoor payload, a variant of the Trochilus RAT...
Defense Impairment
1 techniqueDiscovery
5 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."
Collection
2 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
6 techniquesOnce the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.
"capable of communicating over both HTTP and what appears to be fake SSL... attempts to mimic SSL traffic to login.live[.]com by sending that domain in the SNI field" | "This variant of 9002 is capable of communicating over both HTTP... Data sent to the command and control (C&C) in the HTTP POST’s client body is transmitted in an encoded state"
The malware then injects svchost.exe with the ability to: ... Download potentially malicious files
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection.
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Exfiltration
1 techniqueThe 9002 RAT appears to have been in use since at least 2009... The malware provides attackers with extensive data exfiltration capabilities.
IOCs tracked for this family
239 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan, also known as Hydraq and McRat, previously used by Webworm before appearing to be abandoned.
Previously used backdoor in Webworm operations before the group shifted to newer custom-built tools.
Established remote access trojan/backdoor previously used by Webworm in earlier operations.
A long-used remote access trojan/backdoor with extensive data exfiltration capabilities. Some variants are memory-resident and avoid writing to disk. It has also been used to deliver additional malware such as PlugX, and Webworm modified its communication protocol and encryption to evade detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.