Trojan.Hydraq is a piece of malware that we first saw in early 2010. It was a threat that got a lot of media attention—especially since the targets it chose were very high profile organizations. It's been a couple of years since we mentioned it so we thought we'd provide an update on its activity since then.
Contrary to commonly held thought, Hydraq never went away. Month after month we've observed the attackers using the threat relentlessly on organizations across all sorts of different market sectors. The vector of infection isn't different from most other targeted attacks—well tailored email sent to specific recipients with a link to an exploit hosting website; exploitation leads to download and execution of the Trojan; the Trojan gathers system information and exfiltrates to a remote server; a remote server is contacted every so often to see if additional commands are available. On average we see a new wave of Hydraq attacks every six to eight weeks.
Hydraq uses a method of gathering system and network information initially, and then steals user names and passwords before collating all this information into a 'config' file on the compromised computer. This file is then exfiltrated to a pre-configured remote server. Each Hydraq binary is hardcoded with a command-and-control (C&C) server domain name or IP address to use for further instructions. It is likely these Trojans are being created using a RAT toolkit available to the group behind the attacks.
Unlike the first instance of Hydraq, the attacks that have followed have not made use of any unpatched flaws (also known as a zero-day vulnerability) in any application. The attackers either haven't been able to secure funding for more zero-day vulnerabilities, or just haven't been able to locate one.
Data collected over the past ten months or so shows the breadth of targets these attackers have pursued. Unlike the initial Hydraq targets, which were primarily US-based entities, organizations in at least 20 different countries have been targeted by Hydraq. The map below shows these different countries:
Most of these countries have seen Hydraq attacks as recently as last week.
The market segments being targeted here primarily include government, financial, education, and legal firms. The attacks appear to be coming from the same entity as each Trojan is usually seen in the wild by itself until activity around it dies down. The attackers start a new wave of attacks with new Trojan files only when activity around the previous binary has ceased.
The attackers made use of global infrastructure in order to host their C&C servers. In some cases they've registered domains for the purpose of the attacks, while in others they've relied on free domain registration services to come up with domain names. For hosting it appears they've always relied on hacked servers to serve their purpose. A sampling of the different domains and IP addresses seen hardcoded within the Hydraq binaries shows geographical locations as follows:
There is little sophistication in these attacks. The attackers are using stolen infrastructure for the most part, and relying on organizations to have unpatched applications installed on their computers. Targeted entities are either those that host intellectual property of value, or those that can be used as an asset in future malware campaigns. Even if an organization considers itself to be immune to the intellectual property bait, they could be compromised to aid the attackers in additional attack campaigns.