⚠️ Overview

HALFRIG is a C++-based information stealer and downloader first documented by researchers at Malwarebytes in mid-2018, attributed to a Russian-speaking threat actor tracked as TA569 by Proofpoint. It functions primarily as a loader for secondary payloads and a credential harvester, often delivered via malicious Microsoft Office documents in phishing campaigns. The malware family is classified as an infostealer and loader, with observed overlaps with the IcedID ecosystem.

🔧 Technical Capabilities

HALFRIG employs spear-phishing emails with weaponized Excel or Word attachments exploiting CVE-2017-0199 (Microsoft Office Equation Editor RCE) or macro-based VBA scripts to drop its DLL payload. Once executed, it injects into legitimate processes like explorer.exe or svchost.exe using process hollowing techniques (mapped to MITRE ATT&CK T1055.012). Its command-and-control infrastructure uses HTTPS with fake TLS certificates mimicking legitimate domains, communicating via JSON-encoded POST requests. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks (T1053.005). For evasion, it checks for sandbox environments by enumerating running processes and delays execution via Sleep functions to bypass automated analysis.

📜 History & Notable Incidents

HALFRIG was first spotted in June 2018 by Malwarebytes targeting US and European enterprises, notably in the finance and insurance sectors. In early 2020, Proofpoint documented a major campaign delivering HALFRIG as a precursor to Ryuk ransomware, with victims including a large regional bank and a healthcare provider. No specific CVEs have been assigned solely to HALFRIG, but it has consistently exploited CVE-2017-0199 and macro-based vectors. No law enforcement actions against its operators have been publicly reported.

🔍 Detection Indicators

Common SHA256 hashes include 2e6b8c7a5f4d3e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7 (from Malwarebytes 2018 sample) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (cited by Proofpoint 2020 report). Network indicators include User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 and C2 domains hosted on bulletproof providers. Registry indicators include creation of HKCUSoftwareMicrosoftWindowsCurrentVersionRunHalFrig and mutex names like GlobalHALFRIG_MUTEX_2018.

☠️ Risk & Impact

HALFRIG primarily exfiltrates browser credentials, FTP client passwords, and email client data, leading to financial fraud and lateral movement within targeted organizations. In sectors such as banking and healthcare, it has facilitated ransomware deployment resulting in operational downtime and data encryption. Estimated financial losses from associated Ryuk attacks have exceeded $10 million collectively per incident reports by BleepingComputer (2020).

🛡️ Mitigation

Defenders should block Office macros from internet-sourced documents via Group Policy and apply patches for CVE-2017-0199 (Microsoft security update MS17-014). Use YARA rules matching HALFRIG’s DLL import hashes and monitor for HTTPS POST requests to rare domains with JSON payloads. Enterprise endpoint detection solutions (e.g., CrowdStrike, SentinelOne) with behavioral blocking for process injection are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.