HyperStack Backdoor

The HyperStack Backdoor is a threat whose attacks were first observed in 2018. The development and usage of the HyperStack Backdoor are attributed to the Turla APT, a hacking organization believed to be operating from Russia. Turla's name is associated with a large number of attacks against high-profile targets, and the HyperStack Backdoor is just one of the many hacking tools in their kit. The group reuses old malware regularly, and they also make sure to introduce regular updates to their old payloads. For example, the HyperStack Backdoor has undergone several updates, and feature reworks since it was first observed in 2018.

The HyperStack Backdoor is controlled by abusing the Remote Procedure Call (RPC) Windows service. In addition to this, an active HyperStack implant can try to connect to the IPC$ shares of other devices on the same network, thus enabling it to spread laterally. The malware stores detailed logs regarding any errors and results from command execution. Cybersecurity researcher also discovered a clean-up module that allows HyperStack Backdoor to look for log files with the prefix '-X' – they believe that this feature is meant to remove the traces of an unknown malware implant. One of the most impressive campaigns to use the HyperStack Backdoor was against a Swiss cyber-defense organization.

While the HyperStack Backdoor does not shine with any great features. It is more than enough to meet the needs of Turla's members. Needless to say, the abuse of the RPC protocol and IPC$ shares are certainly impressive and once again prove Turla's experience and expertise.