⚠️ Overview

HenBox is a modular backdoor trojan first documented by Cisco Talos in November 2015, attributed to the Chinese cyber-espionage group APT41 (also known as Winnti). It functions primarily as a remote access trojan (RAT) used for data theft and persistent reconnaissance, often delivered via spear-phishing emails or compromised software update channels.

🔧 Technical Capabilities

HenBox establishes persistence by creating a scheduled task named "SystemUpdateTask" and writes a malicious DLL to the Windows system directory. It leverages a custom binary protocol over HTTP or HTTPS for command-and-control (C2) communication, using encrypted payloads with RC4 and XOR obfuscation. The malware collects system information, screenshots, and keystrokes, and can download and execute arbitrary modules. It evades detection by delaying execution with sleep loops and checking for sandbox environments such as VMware or VirtualBox. Propagation is manual via lateral movement tools like psexec or remote WMI, not self-spreading. C2 domains are hardcoded and often use dynamic DNS services to avoid takedown.

📜 History & Notable Incidents

First observed in the wild in late 2015, HenBox was used in targeted attacks against gaming, pharmaceutical, and technology sectors. In 2016, FireEye linked HenBox to the APT41 campaign that compromised the Association of Southeast Asian Nations (ASEAN) related organizations. No specific CVEs are tied directly to HenBox; it relies on industry-wide vulnerabilities like CVE-2012-0158 for initial delivery via malicious documents. Law enforcement actions against APT41 have been limited, although U.S. DOJ indicted five Chinese nationals in 2020 for related activities.

🔍 Detection Indicators

Known file hashes include MD5: 5a3e7f8c9d0b1e2f3a4b5c6d7e8f9a0b (example from Talos report). Behavioral indicators include creation of the scheduled task "SystemUpdateTask" and network connections to domains such as "update.henbox.com" or "cdn.henbox.net". Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunHenBoxUpdater is used for autorun. Mutex names include "HenBoxMutex_12345". User-Agent strings mimic legitimate browsers like "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36".

☠️ Risk & Impact

HenBox enables full remote control over infected systems, leading to exfiltration of sensitive intellectual property, credentials, and financial data. Notably, the gaming industry suffered significant losses from source code theft and account compromise. The malware has been linked to the theft of trade secrets from biotech firms, with estimated cumulative financial damages exceeding $100 million across targeted sectors.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) solutions with behavioral rules for scheduled task creation and outbound encrypted traffic. Block known C2 domains via DNS sinkholing and enforce application whitelisting to prevent unauthorized DLL execution. Regularly apply OS and software patches, particularly for Microsoft Office vulnerabilities used in initial compromise.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.