HIsoka Malware Description
The Hisoka Malware is a backdoor threat deployed in two separate attack campaigns targeting Kuwait transportation and shipping companies. The threat actors used Hisoka alongside several other custom-made malware threats. The hackers named their tools after characters from the popular manga and anime series 'Hunter x Hunter' - Sakaboto, Hisoka, Gon, Killua and Netero.
The first time the Hisoka Malware was detected was when the malware was dropped on a computer belonging to an organization working within Kuwait's transportation and shipping sector. The corrupted binary was named 'inetinfo.sys' and carried a Hisoka version 0.8 variant. Through Hisoka, the threat actors deployed two additional malware tools rapidly - Gon and EYE. Gon is a potent backdoor that allows the hackers to upload and download data, run commands, open Remote Desktop Protocol (RDP) connections, take screenshots, scan for open ports, etc. On the other hand, EYE is a clean-up tool for any RDP connections made by the criminals, as it can kill the associated processes and scrape any additional identifying artifacts. Version 0.8 of the Hisoka Malware communicated with its Command-and-Control (C2, C&C) infrastructure through both HTTP and DNS tunneling.
Hisoka Assumes Modular Approach
In a campaign against another Kuwait organization from the same industry sector, infosec researchers detected a new version of Hisoka being used. The 0.9 version was dropped as a file named 'netiso.sys.' Compared to the previous iterations of the malware, this new version showed a change in the mindset of the criminals. Instead of lumping all harmful functionality into a single threat, they were now trying to adopt a more modular approach by removing certain functionality from Hisoka and packaging it in a standalone malware threat called Netero. The new tool is embedded within Hisoka as a resource named 'msdtd' and can be initiated if the need arises. By delegating certain aspects to different tools, the hackers might be attempting to minimize their footprint on the compromised machine and make the detection of their tool harder.
Version 0.9 also featured an expanded range of communication channels with the C2 servers with the inclusion of an email-based capability. For this method to work, Hisoka exploits Exchange Web Services (EWS) and misappropriated credentials to create emails saved in the 'Drafts' folder. For inbound commands, the malware threat scans for emails with the subject 'Project.' At the same time, the outbound communication is carried out through emails with the subject 'Present.' The body of the outbound email contains an encrypted message and a file can be attached if the appropriate 'upload_file' command has been received.