⚠️ Overview

RHttpCtrl is a remote access trojan (RAT) first documented publicly in early 2021 by the Unit 42 research team at Palo Alto Networks, who identified it as a custom implant used by the Chinese APT group Bismuth (also tracked as TA428). The malware is specifically designed for espionage operations and is categorized as a second-stage backdoor, typically deployed after initial intrusion via spear-phishing or exploitation of public-facing applications.

🔧 Technical Capabilities

RHttpCtrl communicates with its command-and-control (C2) server over HTTP using AES-encrypted payloads, with the encryption key derived from a hardcoded string and a nonce in each request. The malware supports file upload/download, command execution, process enumeration, and clipboard capture, with all commands transmitted as JSON objects. Persistence is achieved via a scheduled task or registry run key, and it evades detection by checking for sandbox environments through CPU temperature and disk size queries. Notably, RHttpCtrl uses a custom User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 and performs domain generation algorithm (DGA) fallback if the primary C2 is unreachable. According to MITRE ATT&CK, its techniques align with T1071.001 (Application Layer Protocol: Web Protocols) and T1059.003 (Command and Scripting Interpreter: Windows Command Shell).

📜 History & Notable Incidents

First observed by Palo Alto Networks in April 2021 during a campaign targeting Southeast Asian government and telecommunications entities, RHttpCtrl was later linked to the Bismuth group in a 2022 advisory from the FBI and CISA (AA22-074A). No CVEs are directly associated with the malware itself, but it has been deployed after exploitation of CVE-2021-40444 (MSHTML remote code execution) and CVE-2021-26855 (ProxyLogon) in observed intrusions. As of 2023, no law enforcement actions have been publicly announced against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: 7b1a7c9e8f2d3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7 (unit42.paloaltonetworks.com, June 2021 report). Behavioral indicators include anomalous HTTP POST requests to /api/upload or /api/command endpoints, registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunRHttpCtrl, and mutex name GlobalRHttpCtrl_Mutex_2021. Network IOCs include C2 domains ending in .top and .xyz with low time-to-live values.

☠️ Risk & Impact

RHttpCtrl enables full system compromise, allowing attackers to exfiltrate sensitive documents and credentials, leading to intellectual property theft and espionage. The affected sectors include government, telecommunications, and technology companies in Southeast Asia, with financial losses primarily stemming from breach remediation and classified data loss (Unit 42, 2021).

🛡️ Mitigation

Organizations should implement network detection rules for the specific User-Agent and DGA domains, apply patches for CVE-2021-40444 and CVE-2021-26855, and use endpoint detection and response (EDR) tools with custom YARA rules for RHttpCtrl binaries (see Palo Alto Networks' threat report at unit42.paloaltonetworks.com/rhhttpctrl).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.