ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool HDoor

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: HDoor

NamesHDoor
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Wiper, Tunneling
Description(Kaspersky) The Naikon APT frequently used a custom backdoor that appears to be an HDoor variant, based on old “Honker Union” code like “hscan v120”. For example, once on a victim network, one of the first steps is to run the hdoor -hbs scan to identify target local network hosts.

The Naikon APT’s custom-built HDoor tool is a robust reconnaissance tool for lateral movement, supporting the identification of, interfacing with and attacking of multiple technologies and resources:
• host, user, group, and related authentication resources and cracking/brute forcing capabilities
• network asset scanning and identification, including SQL database, embedded network devices like home or SMB routers, and other common network services
• fake service listener to sniff traffic
• disk wiping – safe delete with multiple overwrites
• process management
• local filetime modifier
• SQL administration toolset
• SOCKS5 proxy service
• banner-based scanner
• AV killer
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>
<https://securelist.com/cycldek-bridging-the-air-gap/97157/>
MITRE ATT&CK<https://attack.mitre.org/software/S0061/>

Last change to this tool card: 03 June 2020

Download this tool card in JSON format

All groups using tool HDoor

ChangedNameCountryObserved

APT groups

 Goblin Panda, Cycldek, ConimesChina2013-Jun 2020 
 Naikon, Lotus PandaChina2012-2017 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key