Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com

Hunt Hypothesis

Threat Group 3390 is using a custom HttpBrowser RAT hosted on update.hancominc.com to maintain persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate APT activity leveraging compromised domains for C2 operations.

YARA Rule

rule HttpBrowser_RAT_Sample1 
{

    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 80
        hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b"
        hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb"
   
    strings:
        $s0 = "update.hancominc.com" fullword wide 
   
    condition:
        uint16(0) == 0x5a4d and filesize < 100KB and $s0
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://snip.ly/giNB
• Source Rule

False Positive Guidance

• Scenario: Legitimate Software Update from Hancom Inc.
  Description: A system may download a file from update.hancominc.com as part of a legitimate software update for Hancom products (e.g., Hancom Office).
  Filter/Exclusion: Check the file name and hash against known Hancom update packages. Exclude files with hashes matching official Hancom update signatures.

• Scenario: Scheduled System Maintenance Job
  Description: An automated job (e.g., schtasks.exe or Task Scheduler) may access update.hancominc.com to perform system maintenance or configuration updates.
  Filter/Exclusion: Filter by process name (schtasks.exe or Task Scheduler), or check the job name against known maintenance tasks.

• Scenario: Admin Performing Remote Configuration via Web Console
  Description: An administrator may use a web-based console (e.g., Microsoft Endpoint Manager, Intune, or Microsoft 365 Admin Center) that connects to update.hancominc.com for configuration purposes.
  Filter/Exclusion: Filter by user account (e.g., [email protected]), or check the URL for known admin console endpoints.

• Scenario: False Positive from Malware Analysis Lab
  Description: A sandbox or malware analysis tool (e.g., Cuckoo Sandbox, FireEye, or Malwarebytes) may connect to update.hancominc.com as part of its testing environment.
  Filter/Exclusion: Filter by process name (e.g., cuckoo, malwarebytes, fireeye) or check the source IP against known lab IP ranges.

• Scenario: Legitimate Email Client Accessing Web Service
  Description: An email client (e.g., Microsoft Outlook, Thunderbird)