Threat Group 3390 APT Sample - HttpBrowser RAT Sample

Hunt Hypothesis

The detection identifies potential HttpBrowser RAT activity associated with Threat Group 3390, indicating possible remote code execution and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activity early in the attack lifecycle.

YARA Rule

rule HttpBrowser_RAT_Sample2  
{

    meta:
        description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
        author = "Florian Roth"
        reference = "http://snip.ly/giNB"
        date = "2015-08-06"
        score = 80
        hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992"
   
    strings:
        $s0 = "nKERNEL32.DLL" fullword wide
        $s1 = "WUSER32.DLL" fullword wide
        $s2 = "mscoree.dll" fullword wide
        $s3 = "VPDN_LU.exeUT" fullword ascii
   
    condition:
        uint16(0) == 0x5a4d and filesize < 250KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://snip.ly/giNB
• Source Rule

False Positive Guidance

• Scenario: Legitimate Scheduled Job Execution
  Description: A scheduled job runs a script that uses curl or wget to download a file from an internal server, which matches the IoC pattern of the HttpBrowser RAT.
  Filter/Exclusion: Exclude all events where the source IP is within the internal network range (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) and the command line includes known legitimate tools like curl or wget with internal URLs.

• Scenario: Admin Task - Software Update via HTTP
  Description: A system administrator uses powershell to download a software update from an internal HTTP server, which is flagged due to the presence of a suspicious URL pattern.
  Filter/Exclusion: Exclude events where the command line contains powershell and the URL includes known internal update servers (e.g., https://update.corp.example.com).

• Scenario: Legitimate Web Proxy Usage
  Description: An employee uses a corporate proxy to access external websites, and the proxy logs include URLs that match the IoC pattern of the HttpBrowser RAT.
  Filter/Exclusion: Exclude all events where the URL contains a known proxy domain (e.g., proxy.corp.example.com) or the user agent indicates a legitimate browser.

• Scenario: Internal Red Team Exercise
  Description: During a red team simulation, a test payload is deployed using a tool like Invoke-WebRequest (PowerShell) to mimic an APT sample, triggering the detection rule.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes Invoke-WebRequest with a known