{"description": "Enterprise techniques used by HTTPBrowser, ATT&CK software S0070 (v1.1)", "name": "HTTPBrowser (S0070)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) has used HTTP and HTTPS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) has used DNS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn \u201c%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\u201d to establish persistence.(Citation: ZScaler Hacking Team)(Citation: ThreatStream Evasion Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of spawning a reverse shell on a victim.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of listing files, folders, and drives on a victim.(Citation: Dell TG-3390)(Citation: ZScaler Hacking Team)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.(Citation: ZScaler Hacking Team) [HTTPBrowser](https://attack.mitre.org/software/S0070) has also used DLL side-loading.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) deletes its original installer file once installation is complete.(Citation: ZScaler Hacking Team)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of writing a file to the compromised system from the C2 server.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is capable of capturing keystrokes on victims.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070)'s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.(Citation: ZScaler Hacking Team)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[HTTPBrowser](https://attack.mitre.org/software/S0070)'s code may be obfuscated through structured exception handling and return-oriented programming.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HTTPBrowser", "color": "#66b1ff"}]}