HIUPAN (Worm) – Malware

Overview

The HIUPAN worm is a sophisticated and evolving piece of malware that has been utilized by cybercriminal groups to spread their malicious payloads across target networks. Initially discovered as part of a broader cyber-attack campaign, HIUPAN has quickly gained notoriety due to its unique propagation method and its ability to evade detection. The worm is primarily known for its ability to spread through removable drives, which makes it especially dangerous in environments where USB drives or other portable storage devices are commonly used. HIUPAN’s design allows it to infect systems without requiring direct internet access, making it a versatile tool for targeted cyber-attacks, particularly in environments with limited network defenses.

One of the key characteristics of HIUPAN is its use of a configuration file, which allows the worm to be easily customized for specific targets. This feature ensures that the malware can adapt to different environments and bypass common security measures. Once executed, HIUPAN installs itself onto the infected system and begins its propagation process. It copies itself to connected removable drives and hides its malicious files in a manner that encourages unsuspecting users to interact with the infected devices. This method of infection relies on the user’s curiosity or lack of awareness, making it a stealthy and effective tactic for the worm’s spread.

Targets

Information

How they operate

Once the worm successfully infiltrates a system, it installs itself by copying various malicious files into the system’s directories. These files are typically stored in the C:\ProgramData\Intel_ directory, a hidden location that is often overlooked by traditional security software. HIUPAN also modifies registry entries to ensure that it runs automatically upon system restart. The worm adds an entry to the Windows registry under the “Run” key, which forces the malware to launch each time the system is rebooted. This persistence mechanism makes HIUPAN difficult to remove manually, as it reactivates itself after each system restart, giving the attacker continued access to the compromised system.

One of the most important technical components of the HIUPAN worm is its external configuration file, which allows it to adapt to different target environments. The configuration file contains a decimal value and a list of filenames that HIUPAN will spread with when it propagates. The decimal value controls the “watcher” function of the worm, which periodically checks for connected removable drives and allows the malware to spread when it detects a vulnerable drive. This method of propagation is highly effective in environments where USB drives and other removable storage devices are commonly used. Once a removable drive is detected, HIUPAN copies itself and its associated malicious files onto the drive, hiding them in such a way that the user is encouraged to interact with the infected device.

HIUPAN’s propagation process is engineered to be stealthy and difficult to detect. It stores its files in a hidden directory on the infected drive and uses filenames that mimic legitimate system files. For example, it may use filenames such as “UsbConfig.exe” for its host and “u2aec.dll” for its worm component, tricking the user into thinking the files are part of the system’s normal operations. The worm also hides its presence by modifying system settings, including changing registry values to disable the display of hidden files and file extensions. This ensures that the infected files remain out of sight, making it more difficult for users or system administrators to detect and remove the malware.

The worm also employs a “watcher” function that continually checks for removable drives plugged into the infected system. Once a drive is detected, the worm copies itself and its files to the new drive, continuing its propagation across multiple machines. This behavior not only allows the worm to spread but also ensures that it remains persistent in the environment, as new infected devices become part of the botnet. HIUPAN’s ability to adapt to different systems and environments through its configuration file, along with its stealthy and persistent nature, makes it a potent tool for cybercriminals seeking to compromise networks and exfiltrate sensitive data.

Overall, the HIUPAN worm represents a sophisticated and effective method of malware propagation. By exploiting removable storage devices and using stealthy persistence techniques, it can spread across multiple systems without raising suspicion. Its ability to adapt through configuration files and its focus on remaining undetected make it a valuable tool for threat actors, particularly in targeted campaigns against specific organizations or individuals. As such, the worm underscores the importance of implementing strong security measures, including regular monitoring of removable device use and improved endpoint protection, to defend against such threats.

MITRE Tactics and Techniques

Initial Access

T1071: Application Layer Protocol (Used by the worm to propagate via USB devices and exploit application layer protocols for remote communication).

T1071.001: Application Layer Protocol: Web Protocols (HIUPAN may use web protocols for communication with external command-and-control servers).

Execution

T1203: Exploitation for Client Execution (The worm relies on USB drives being inserted into a machine, exploiting human error to trigger the execution of malware from removable drives).

T1059: Command and Scripting Interpreter (HIUPAN uses commands to launch its malicious payloads, such as the execution of malware on external storage devices).

Persistence

T1547: Boot or Logon Autostart Execution (HIUPAN ensures it runs after system reboot by modifying registry keys to establish persistence through system restart).

T1053.005: Scheduled Task/Job: Windows Management Instrumentation (WMI) (It may use task scheduling or WMI commands to maintain persistence on a compromised system).

Privilege Escalation

T1078: Valid Accounts (HIUPAN may exploit valid accounts to escalate privileges, especially if administrative accounts are available through the infection chain).

Defense Evasion

T1070: Indicator Removal on Host (The worm hides its presence by altering registry settings, such as hiding hidden files and disabling the display of file extensions).

T1562: Impair Defenses (HIUPAN attempts to evade detection by using steganography-like methods, hiding files and creating camouflage to avoid detection by security tools).

Credential Access

T1110: Brute Force (While not directly brute forcing credentials, HIUPAN may attempt to exploit weak or improperly secured accounts to facilitate access to systems).

Discovery

T1083: File and Directory Discovery (The worm looks for connected drives and directories to spread its payload).

Exfiltration

T1041: Exfiltration Over Command and Control Channel (HIUPAN may use established communication channels to exfiltrate data back to the attacker).

Impact

T1499: Endpoint Denial of Service (HIUPAN, with its ability to consume system resources, can impact the normal functioning of a machine by making it part of the malicious propagation chain).

References

• Earth Preta Evolves its Attacks with New Malware and Strategies