A threat actor with “significant” links to a Chinese advanced hacking group was spotted attacking a western aerospace company, according to the cybersecurity firm Cylance.
A remote access trojan (RAT) known as “Hacker’s Door” was discovered during a recent Cylance-led incident response when an unidentified western aerospace company was breached. Hacker’s Door dates back to 2004, but has rarely been found in the wild, due to being intermittently improved, updated and sold over the last decade.
The connection to a Chinese APT comes in the form a stolen certificate known to be used by the Winnti group. The link is described as “fairly significant in terms of attribution,” according to Cylance’s Tom Bonner, but not definitive. The RAT is being sold by a Chinese-language developer going by the name “yyt_hac” who timidly asks buyers to avoid “illegal” activity with the tool.
The newest version of the tool is designed to run on modern 64-bit systems.
“It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes ‘Hacker’s Door’ the perfect RAT for any adversary’s arsenal,” Cylance’s researchers explained.
The RAT’s author also created another piece of malware called “yyt_hac’s ntrootkit” boasting another older backdoor targeting the Windows Kernel, and a tool called “Ghost Shield 1.0”, which purports to be a trojan firewall, as well as a few other general purpose utilities, Bonner told CyberScoop.
“At some point yyt_hac went dark online, disappearing from about 2005 and resurfacing in 2015,” Bonner said. “It’s possible that they could have been in prison (as comments on their blog suggest), but we do not have this confirmed.”
You can read the full deep dive and a list of indicators of compromise for the RAT at Cylance’s blog.
Cylance did not offer other details about the breach, victim or perpetrator.