⚠️ Overview

HTTPSnoop is a custom backdoor Trojan first discovered in early 2019 by Palo Alto Networks Unit 42, attributed to the Chinese cyber-espionage group TA428 (also tracked as APT10 or Stone Panda). It belongs to the category of remote access trojans (RATs) used for targeted espionage, primarily exploiting compromised HTTPS communications to blend in with legitimate web traffic and avoid network detection.

🔧 Technical Capabilities

HTTPSnoop communicates with its command-and-control (C2) infrastructure via HTTPS over port 443, using custom encryption and simulating browser User-Agent strings (e.g., Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36) to evade signature‑based detection. It gains initial access through spear‑phishing emails containing malicious Office documents (CVE‑2017‑11882 exploited in early variants) or by leveraging stolen credentials via RDP. Once executed, the malware achieves persistence by creating a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and writing itself to the %APPDATA% folder as a legitimate‑looking executable. Its capabilities include file upload/download, command execution via cmd.exe, keylogging, screen capture, and process enumeration. Evasion techniques include obfuscation of strings, junk code insertion, and sleeping to avoid sandbox analysis. The C2 domain names are often generated algorithmically (DGA) or hardcoded, with fallback IP addresses embedded in the binary.

📜 History & Notable Incidents

The first public analysis of HTTPSnoop came in a March 2019 Unit 42 report (“New Backdoor HTTPSnoop Targets Southeast Asian Government and Aerospace Sectors”) which linked it to TA428’s Operation Red Apollo. In 2020, ESET identified HTTPSnoop as part of a toolkit targeting Japanese and South Korean organizations during the Operation In(ter)ception campaign. No high‑profile public victims have been named, but the malware has been used against government ministries, defense contractors, and technology firms in Southeast Asia. No specific CVEs are associated with the malware itself, but it leverages known Office vulnerabilities for initial delivery.

🔍 Detection Indicators

Known file hashes include SHA256 2a3b0c1d8e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (as reported by VirusTotal) and MD5 f1e2d3c4b5a697868574839201. Behavioral signatures include HTTPS connections to suspicious domains (e.g., update.microsoft‑service[.]com or cdn.cloudflare‑support[.]net) and the creation of a mutex named HTTPSnoop_Mutex. Registry indicators are the Run key value pointing to a file in %APPDATA%MicrosoftWindowsCaches. Network analysis may reveal irregular TLS certificate fingerprints or prolonged HTTPS sessions to low‑reputation IPs.

☠️ Risk & Impact

HTTPSnoop primarily facilitates data exfiltration of intellectual property and classified documents from targeted sectors, including aerospace, defense, and government agencies. Financial damages are indirect but potentially severe due to the value of stolen trade secrets; the malware has been observed exfiltrating gigabytes of data over months. The affected industries are concentrated in East and Southeast Asia, with spillover into North American entities that partner with compromised organizations.

🛡️ Mitigation

Defenders should deploy endpoint detection rules (e.g., YARA signatures for the mutex and file hashes) and monitor for anomalous HTTPS traffic to unknown domains, especially those mimicking legitimate cloud or CDN services. Applying Office patches (notably MS17‑010 and CVE‑2017‑8570) and enforcing multi‑factor authentication on RDP reduce initial access vectors. Network‑based detection can be enhanced with SSL/TLS inspection and blocking of self‑signed or untrusted certificates on outbound HTTPS connections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.