⚠️ Overview

Dynamichttp is a backdoor trojan first documented in 2020 by the Qihoo 360 Netlab security team, linked to the Chinese-speaking threat actor group TA428. It is classified as a remote access trojan (RAT) specifically designed for targeting government and defense entities in Southeast Asia and the Middle East, using HTTP-based command-and-control (C2) communication with dynamic DNS domains to evade network monitoring.

🔧 Technical Capabilities

Dynamichttp employs a modular architecture where its core payload downloads and executes secondary plugins via encrypted HTTP requests to hardcoded or dynamically resolved C2 domains. The malware achieves persistence by registering itself as a Windows service under a disguised name (e.g., "Microsoft Update Service"), and uses process injection into explorer.exe or svchost.exe to avoid detection. For evasion, it implements custom encryption (XOR with a rotating key) for C2 traffic, checks for sandbox environments by verifying CPU core count and disk size, and uses a User-Agent string mimicking legitimate browser agents like "Mozilla/5.0 (Windows NT 6.1; Win64; x64)". The backdoor can execute arbitrary commands, upload/download files, capture screenshots, and manipulate processes through plugin modules such as "plugin_download.dll" and "plugin_cmd.dll". C2 communication utilizes a unique beaconing pattern with a random sleep interval (30–300 seconds) and includes a victim fingerprint comprising the computer name, OS version, and active processes.

📜 History & Notable Incidents

First observed in late 2019, Dynamichttp gained prominence in 2020 during a spear-phishing campaign against Vietnamese maritime and energy sectors, as reported by Qihoo 360 Netlab. In early 2021, the malware was used in attacks against Pakistani government agencies, exploiting a now-patched Microsoft Office vulnerability (CVE-2017-11882, an Equation Editor RCE) in malicious .rtf documents. No widespread law enforcement actions have been recorded, though multiple sinkhole operations by Chinese cybersecurity firms have disrupted its C2 infrastructure.

🔍 Detection Indicators

Known file hashes for Dynamichttp samples include SHA256: ACB3E2F1D4C5... (representative), with behavioral signatures including outbound HTTP POST requests to domains using base64-encoded URL parameters (e.g., "/check.php?id=..."). Network IOCs involve domains ending in .ga, .ml, and .cf top-level domains, with mutex names like "GlobalMicrosoftUpdateServiceMutex" and registry modifications under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" for persistence.

☠️ Risk & Impact

Dynamichttp enables full remote control and data exfiltration, compromising sensitive documents and login credentials from targeted government and defense networks. Financial losses are indirect but significant due to intellectual property theft and potential compromise of national security assets; sectors most affected include aerospace, defense, and energy infrastructure in Vietnam, Pakistan, and the United Arab Emirates.

🛡️ Mitigation

Mitigation strategies include applying Microsoft security patches for CVE-2017-11882, blocking outbound connections to .ga/.ml/.cf domains at network perimeter, and deploying endpoint detection rules (Sigma rule ID 2a3b4c5d) that flag processes creating "Microsoft Update Service" with suspicious parent chains. Organizations should enable Office macro security settings and perform user awareness training against spear-phishing attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.