⚠️ Overview

HTTP(S) uploader is a generic classification for malware families that primarily exfiltrate stolen data or upload malicious payloads via HTTP/HTTPS protocols, often acting as a secondary dropper or data stealer. First documented in threat reports from 2016 by Palo Alto Networks Unit 42, it is not a single named variant but a behavioral category observed in numerous campaigns, frequently attributed to financially motivated cybercriminal groups such as TA505 and FIN7. The category encompasses stealer, downloader, and backdoor functions, with variants like BumbleBee and IcedID incorporating HTTP upload capabilities.

🔧 Technical Capabilities

HTTP(S) uploader malware typically uses HTTP POST requests to send stolen credentials, screenshots, or system information to attacker-controlled C2 servers, leveraging SSL/TLS encryption to evade network detection. Propagation methods include phishing emails with malicious macro-enabled documents or ISO files, exploiting CVE-2021-26411 (Internet Explorer) for initial access, and using living-off-the-land binaries like PowerShell for lateral movement. Persistence is achieved via registry Run keys or scheduled tasks, while evasion techniques include API unhooking, process hollowing, and checking for debuggers. The malware often employs User-Agent strings mimicking legitimate browsers (e.g., Mozilla/5.0) and utilizes domain generation algorithms (DGAs) with seed values tied to current dates.

📜 History & Notable Incidents

In 2020, a variant dubbed Dridex loader used HTTPS upload to deliver ransomware payloads in campaigns targeting healthcare and finance sectors, according to CISA alert AA20-302A. A 2022 incident involving IcedID (MITRE ATT&CK ID S0483) used HTTP POST uploads for credential theft after exploiting CVE-2022-30190 (Follina) in corporate networks. No major law enforcement takedowns specific to "HTTP uploader" have occurred, but infrastructure takedowns by Europol in Operation Endgame (2024) disrupted botnets using similar techniques.

🔍 Detection Indicators

Known file hashes include SHA256: 3d4f... (reported by VirusTotal for a 2023 sample) but vary per campaign. Behavioral signatures: outbound POST requests to non-standard ports (8080, 8443) with encrypted payloads, and creation of mutexes like "GlobalUploaderMutex". Registry keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdater. Network IOCs: domains like updater[.]xyz and IP ranges 185.224.128.0/22 (identified by Cisco Talos). User-Agent strings often falsify "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36".

☠️ Risk & Impact

The malware enables data exfiltration of sensitive files, credentials, and system logs, leading to financial losses averaging $1.2M per incident in healthcare and manufacturing (IBM X-Force 2023 report). It serves as an initial access vector for ransomware deployment, with the DFIR Report noting 35% of ransomware incidents in 2023 involved an HTTP uploader component. Affected sectors include finance, education, and government.

🛡️ Mitigation

Recommended defenses include blocking outbound HTTP POST to unknown destinations via application whitelisting, enabling AMSI for PowerShell, deploying EDR solutions with behavioral rules for file upload patterns, and patching CVEs like CVE-2021-26411 and CVE-2022-30190. Use YARA rules (e.g., rule_uploader v1 from Florian Roth) to detect compressed payloads in HTTP bodies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.