The HyperBro RAT (Remote Access Trojan) is a part of the large arsenal of hacking tool, which belongs to the hacking group LuckyMouse. LuckyMouse is a believed to originate from China and have been given the title APT27, which stands for Advanced Persistent Threat. They usually target high-profile individuals and organizations. Recently, a data center located in Central Asia reported a breach in their network by LuckyMouse, which resulted in the siphoning of a great number of sensitive documents connected to government officials. It is likely that apart from collecting sensitive data, the LuckyMouse group has used this opportunity to create a watering hole designed to target government-linked officials.
In the past, the LuckyMouse hackers have spread their malware via macro-laced email attachments, but it is not known what propagation method they have implemented in the spreading of the HyperBro Trojan.
Experts in the cybercrime field often utilize various techniques to reduce the footprint their tools leave behind – the Chinese hackers behind the HyperBro RAT have opted to take the 'fileless' approach with this particular threat. This means that HyperBro will leave a minimum number of files on the compromised host and, instead, its modules will be loaded in the computer's memory and then wiped from the disk. Naturally, the attackers prefer to avoid spawning new processes, hence why the HyperBro Trojan might be loaded in legitimate processes such as 'svchost.exe.'
This way, the HyperBro malware is much more difficult to spot by anti-malware tools too.
One would expect that the Command and Control servers of the HyperBro Trojan would be located where the attackers are suspected to reside – in China. However, the authors of the HyperBro RAT have decided to host their Command and Control servers in Ukraine. It is likely that they have infiltrated a user's router to use it for their own means. This is probably done to ensure extra anonymity for the attackers.
The HyperBro Trojan is somewhat limited in its capabilities, and experts think the reason behind this may be the attempt of the attackers to keep their threat on the down low by infiltrating only the memory and not the hard disk of the device. It is speculated that the HyperBro malware can perform commands sent by the operators and possibly modify and browse through file directories. It is not yet confirmed what the damages caused by the HyperBro RAT are, but more information about the attacks is yet to be released.