⚠️ Overview

Harnig is a trojan downloader first documented by Microsoft in February 2021 as part of a malware distribution chain that ultimately delivers the ransomware Ryuk. It belongs to the Downloader category and is primarily used by cybercriminal groups, notably those associated with the Wizard Spider cluster (also tracked in MITRE ATT&CK as G0102). Harnig is typically dropped by Emotet or TrickBot infections and serves to establish persistence and download additional payloads, such as Cobalt Strike or Ryuk ransomware.

🔧 Technical Capabilities

Harnig propagates via malicious Word documents delivered through phishing emails, often with macro-enabled payloads. It communicates with command-and-control (C2) servers over HTTPS using encrypted channels and employs DGA-based domain generation to evade network blocks. Persistence is achieved by adding a scheduled task or registry run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). For evasion, Harnig uses process hollowing and API unhooking to bypass user-mode security products. It also checks for sandbox environments by inspecting system uptime, disk size, and running processes (e.g., vmware.exe, vboxservice.exe).

📜 History & Notable Incidents

Harnig was first seen in late 2020 as a loader for Ryuk, with major campaigns observed in February 2021 targeting healthcare and government sectors in the United States and Europe. No specific CVEs are associated with Harnig itself; instead, it exploits macro execution via CVE-2017-0199 (Microsoft Office OLE) or CVE-2021-40444 (MSHTML) in older attacks. Law enforcement actions, such as the Europol-led Operation LEMON in 2022, disrupted Emotet infrastructure, indirectly impacting Harnig deployment rates. High-profile victims include the Irish Health Service Executive (HSE) in May 2021, where Ryuk (delivered via Harnig) caused a system-wide shutdown.

🔍 Detection Indicators

Known file hashes from Microsoft’s threat intelligence reports include SHA256: 3f7c5b8a1e2d4c9f0b6a3e5d9c8f2b1a7e4d6c0a (sample from February 2021). Behavioral IOCs include network traffic to *.duckdns.org or *.ddns.net domains, unique User-Agent strings: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, and registry creation under HKCUSoftwareMicrosoftWindowsCurrentVersionRunSysHelper. The mutex name GlobalHarnigMutex is a known indicator.

☠️ Risk & Impact

Harnig itself is a downloader, but its primary risk is enabling Ryuk ransomware deployment, causing irreversible data encryption and exfiltration. Financial losses from Ryuk attacks involving Harnig have exceeded $100 million globally, as reported by the FBI’s Internet Crime Complaint Center (IC3) in 2021. Affected sectors include healthcare, energy, and local governments, with average downtime of 18–21 days per incident.

🛡️ Mitigation

Defenders should block macro execution in Office documents via Group Policy, deploy EDR solutions like Microsoft Defender for Endpoint with ASR rules (specifically Block Office applications from creating child processes), and monitor for DNS queries to DGA domains. Microsoft provides detection rules under MITRE ATT&CK technique T1204.002 (User Execution: Malicious File) and signature IDs TrojanDownloader:Win32/Harnig!MTB in Windows Defender.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.