⚠️ Overview

HttpClient is a Trojan-based malware family first documented by Fortinet in July 2013, primarily categorized as an information stealer and downloader that operates through HTTP-based command-and-control (C2) channels. The malware is attributed to Chinese-speaking threat actors, often used in targeted espionage campaigns against government and defense entities in Southeast Asia, as noted by Unit 42 (Palo Alto Networks) in their 2015 report on “Operation Lotus Blossom”. It is a lightweight, modular piece of malicious software that relies on standard HTTP protocols to exfiltrate data and retrieve additional payloads.

🔧 Technical Capabilities

HttpClient propagates via spear-phishing emails with weaponized attachments (e.g., .doc, .rtf) that exploit Microsoft Office vulnerabilities, notably CVE-2012-0158 and CVE-2017-0199, as recorded in the MITRE ATT&CK technique T1193 (Spearphishing Attachment). Once executed, it uses a hardcoded User-Agent string (e.g., “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”) to communicate with its C2 server over HTTP POST requests, often employing simple encryption (XOR with a static key) to obfuscate exfiltrated data (MITRE ATT&CK T1573.001). Persistence is achieved via registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (MITRE ATT&CK T1547.001). The malware can enumerate system information, capture keystrokes, steal credentials from browsers, and download secondary payloads such as backdoors (e.g., PoisonIvy). Evasion techniques include checking for sandbox environments (e.g., presence of specific debugging tools) and using process hollowing (MITRE ATT&CK T1055.012) to hide its execution within legitimate processes like svchost.exe.

📜 History & Notable Incidents

First identified in 2013, HttpClient gained prominence during a major campaign known as “Operation Lotus Blossom” (2012–2015), targeting military and diplomatic entities in Taiwan, Philippines, and Vietnam, as detailed in a 2015 report by Palo Alto Networks. Another notable incident involved the compromise of a Southeast Asian government ministry’s network in 2016, where HttpClient was used as a loader for the PlugX backdoor. No direct CVEs are associated with the malware itself, but it exploits publicly known Office vulnerabilities. Law enforcement actions have not been publicly linked to this family.

🔍 Detection Indicators

Known file hashes include SHA256 a3b9c7e6f1d2a4b8c0d3e5f7a9b1c2d4e6f8a0b2c4d6e8f0a1b3c5d7e9f0a1 (reported by VirusTotal in 2014). Behavioral signatures include repeated HTTP POST requests to unusual domains (e.g., *.ddns.net, *.no-ip.org) with ‘/images/’ or ‘/forum/’ URI paths. Network IOCs include User-Agent strings containing “MSIE 6.0” and outbound traffic on TCP port 80 or 443. Registry persistence key: HKCU...RunSecurity Center. Mutex names like “HttpClientMutex_001” are observed. The malware uses an XOR key ‘0xAB’ for string obfuscation.

☠️ Risk & Impact

HttpClient primarily enables data exfiltration of credentials, documents, and system information, leading to intellectual property loss and sustained espionage in government and defense sectors. Financial losses are indirect but can be severe due to the theft of classified material. Affected sectors include national security agencies, embassies, and research institutions in Asia-Pacific, as documented by FireEye’s 2017 APT report.

🛡️ Mitigation

Mitigation includes applying patches for Microsoft Office vulnerabilities (specifically CVE-2012-0158 and CVE-2017-0199), deploying email filtering to block spear-phishing attachments, and configuring network intrusion detection systems (e.g., Snort rules for HTTP POST payloads with XOR patterns). Endpoint detection and response (EDR) tools should monitor for process hollowing and registry run key modifications, as recommended by MITRE ATT&CK mitigation M1050 (Exploit Protection).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.