(Novetta) Hikit consists of at least two generations of malware that provides basic RAT functionality. The first generation of Hikit (referred to as “Gen 1”) operates as a server and requires an externally exposed network interface in order for an attacker to access the victim machine. The second generation of Hikit (referred to as “Gen 2”) uses the more traditional client model and beacons out to an attacker’s C2 server. While the communication models shifted dramatically between Gen 1 and Gen 2, both generations of Hikit retain the same basic RAT function consisting of remote command shell, file management, network proxy and port forwarding.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2020 by SecureWorks from Secureworks
2017-05-31 by MITRE ATT&CK from MITRE
2014-10-14 by Symantec Security Response from Symantec
2014-10-14 by Symantec Security Response from Symantec
2013-09-17 by Stephen Doherty from Symantec
Tool: HiKit
Names: HiKit
Description: (Novetta) Hikit consists of at least two generations of malware that provides basic RAT functionality. The first generation of Hikit (referred to as “Gen 1”) operates as a server and requires an externally exposed network interface in order for an attacker to access the victim machine. The second generation of Hikit (referred to as “Gen 2”) uses the more traditional client model and beacons out to an attacker’s C2 server. While the communication models shifted dramatically between Gen 1 and Gen 2, both generations of Hikit retain the same basic RAT function consisting of remote command shell, file management, network proxy and port forwarding.
Category: Malware
Type: Backdoor, Tunneling
Information: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf
Information: https://www.recordedfuture.com/hidden-lynx-analysis/
Mitre-attack: https://attack.mitre.org/software/S0009/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:hikit
Last-card-change: 2020-05-13
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL hikit has the ability to create a remote shell and run given commands. | T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING hikit has used dll search order hijacking to load oci.dll as a persistence mechanism. | T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING hikit has used dll search order hijacking to load oci.dll as a persistence mechanism. | T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING hikit has used dll search order hijacking to load oci.dll as a persistence mechanism. T1553.004 SUBVERT TRUST CONTROLS : INSTALL ROOT CERTIFICATE hikit uses certmgr.exe -add globalsign.cer -c -s -r localmachine root and certmgr.exe -add globalsign.cer -c -s -r localmachinetrustedpublisher to install a self-generated certificate to the local trust store as a root ca and trusted publisher. T1553.006 SUBVERT TRUST CONTROLS : CODE SIGNING POLICY MODIFICATION hikit has attempted to disable driver signing verification by tampering with several registry keys prior to the loading of a rootkit driver component. |