A remote access trojan (RAT) known as Hacker’s Door has resurfaced in active infections after being seen the last time in 2004-2005.
According to experts at Cylance, who spotted the recent Hacker’s Door infections, the malware “was signed with a stolen certificate, known to be used by the Winnti APT group,” meaning the new version is used in nation-state cyber-espionage or economic espionage campaigns.
Furthermore, this is not the old Hacker’s Door RAT. Researchers say the malware has been updated to work on 64-bit architectures and can run on newer Windows versions such as Windows 7 and Windows 8.1.
RAT previously offered as freeware, now sold privately
Currently, the download link is dead and its author is selling the malware in private.
One comment on the site suggests that the gap in Hacker’s Door development (v1.0 released in 2004, v1.1 released in 2005, and v1.2 released in 2015) may have happened because the RAT’s author (a man going by the name of ytt_hac) might have gone to prison during that time.
Recent Hacker’s Door infections tied to Winnti APT
Nonetheless, the fact that recent Hacker’s Door samples were signed by certificates used in the past by Winnti suggests the cyber-espionage group has either bought or gotten its hands on a newer version of this tool.
It is not uncommon for APT groups to use your run-of-the-mill malware, this being a good technique to hide APT operations among the large number of mundane malware detections.
In the past, the Winnti group has targeted companies in the gaming and pharmaceutical sector, and Tibetan activists [1, 2, 3, 4]. Recent Winnti attacks with Hacker’s Door malware have targeted aerospace entities.
Winnti is also famous for developing/deploying several other malware families, such as PlugX, HDRoot, Tengo, the eponymous Winnti malware, and Skeleton Key, just to name a few. Other security firms also track the Winnti group under the name of Blackfly or G0044.
At the technical level, the Hacker’s Door RAT comes with the following features:
• Communicate with a remote C&C server
• Collect system information
• Take screenshots
• Find and steal files
• Download additional malware
• Run processes and commands
• List and kill processes
• Open Telnet and RDP connections
• Extract Windows credentials from the current session
• A rootkit component for persistence
Cylance has published an in-depth report analyzing Hacker’s Door’s new version here.