{ "id": "76390498-5b1f-47a1-8739-3b1565e899cd", "created_at": "2026-04-06T00:12:19.602135Z", "updated_at": "2026-04-10T13:11:56.230625Z", "deleted_at": null, "sha1_hash": "05f8c949414f4a49d4635bd667b71d4476bf691c", "title": "I am HDRoot! Part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1437187, "plain_text": "I am HDRoot! Part 2\r\nBy Dmitry Tarakanov\r\nPublished: 2015-10-13 · Archived: 2026-04-05 18:11:49 UTC\r\nSome time ago while tracking Winnti group activity we came across a suspicious 64-bit sample. It was a\r\nstandalone utility with the name HDD Rootkit for planting a bootkit on a computer. Once installed the bootkit\r\ninfects the operating system with a backdoor at the early booting stage. The principles of this bootkit’s work,\r\nnamed HDRoot, have been described in the first part of our article. During our investigation we found several\r\nbackdoors that the HDRoot bootkit used for infecting operating systems. These backdoors are described in this\r\npart of the article.\r\nBackdoors\r\nSince the backdoor installed with the use of HDRoot might be arbitrary, we can’t describe what malware is run by\r\nHDRoot bootkit in every case where it might be found. But at least we have managed to collect two types of\r\nmalware that were identified while tracking HDRoot. The first one was extracted manually from the hard drives of\r\nvictims where HDRoot was detected and who contacted us for the help with combating the infection. Another one\r\nwas found in a standalone dropper that contained both HDRoot and the installed backdoor.\r\n1st type backdoor\r\nMD5 Size Linker Compiled on\r\nC0118C58B6CD012467B3E35F7D7006ED 113’152 10.00 2012-12-19 17:14:21\r\nProperty Value\r\nFileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)\r\nFileDescription ProfSvc\r\nInternalName ProfSvc\r\nOriginalFilename ProfSvc.dll\r\nLegalCopyright © Microsoft Corporation. All rights reserved.\r\nProductName Microsoft® Windows® Operating System\r\nCompanyName Microsoft Corporation\r\nThis is the malware family known as server-side Derusbi, which we observed during several Winnti-related\r\nincidents. Usually this is a DLL with the internal name OfficeUt32.dll and exported functions like:\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 1 of 11\n\nDllRegisterServer\r\nDllUnregisterServer\r\nServiceMain\r\nSvchostPushServiceGlobals\r\nWUServiceMain\r\n__crt_debugger_hook\r\nThis list of functions can differ slightly from version to version. The main DLL includes other malware\r\ncomponents in its body, usually maintained in the XOR-ciphered form:\r\nThe structure for maintaining additional modules\r\nThe Derusbi samples installed with the use of the HDRoot bootkit contained a Remote Shell module and network\r\ndriver.\r\nThe installation routine is implemented in the exported function “DllRegisterServer“. When called, this function\r\nperforms the following actions:\r\nIt copies itself to the folder “%System32%wbem“, with a name consisting of “ntfs” + three random letters,\r\nand a “.mof” extension, for example “ntfsqwe.mof“, and sets the year to 2005 in the date attributes of the\r\nfile.\r\nIt puts a string with its own path to the “ServiceDll” value in the registry that associates with the “iphlpsvc”\r\nor “wuauserv” system service depending on Windows version, and saves the original value of “ServiceDll”\r\nin encrypted form to the “Security” parameter of the same registry key. It executes the malware on system\r\nstartup.\r\nAfter the malware service has started, it starts the original system service that was replaced, running the\r\ndynamic link library associated with the service specified in the “Security” parameter during malware\r\ninstallation.\r\nThe malware stores its configuration data in encrypted form in the “Security” value of the\r\nHKLMSOFTWAREMicrosoftRpc registry key. It contains a unique computer identifier, and the signature for\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 2 of 11\n\nmatching incoming C\u0026C server packets.\r\nThe malware can either connect to the C\u0026C server directly if it is specified in the settings block in its body or\r\nwork in listening mode if no C\u0026C server is defined. The samples related to the HDRoot bootkit we found worked\r\nin listening mode.\r\n1st type backdoor: the driver\r\nMD5 Size Linker Compiled on\r\nC8DAF9821EBC4F1923D6DDB5477A8BBD 37’264 9.00 2012-12-19 17:08:53\r\nProperty Value\r\nFileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)\r\nFileDescription Partition Management Driver\r\nInternalName partmgr.sys\r\nOriginalFilename partmgr.sys\r\nLegalCopyright © Microsoft Corporation. All rights reserved.\r\nProductName Microsoft® Windows® Operating System\r\nCompanyName Microsoft Corporation\r\n(The driver was signed on December 19, 2012 17:11:14 with the stolen certificate of South Korean online gaming\r\ncompany XL Games. The certificate was revoked on Jun 21, 2013. Its serial number is:\r\n7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b).\r\nThe main malware DLL decrypts, drops and runs the rootkit as a file “%System32%DriversLst_Update.sys”. The\r\ndriver at the very beginning of the process removes all registry values created during its launch and the actual\r\ndriver file. The rootkit conceals malicious network activity from popular network monitoring tools by hooking the\r\nIRP_MJ_DIRECTORY_CONTROL service routine of “DeviceTcp” or “Drivernsiproxy” system objects. It also\r\nhides the file “windowssystem32wiarpc.dll” from user-mode applications by hooking the\r\nIRP_MJ_DIRECTORY_CONTROL service routine of the file system driver “FileSystemNtfs”.\r\nIf the malware works in listening mode, the rootkit is also engaged in the communication routines. It sniffs all\r\nincoming network packets and searches them for a specially crafted signature. If found, it redirects these packets\r\nto the listening socket opened by the main malware module. The main module creates a network socket on a\r\nrandom port on all network interfaces. If the rootkit pushes a network packet that matches the predefined\r\nsignature, the main malware module will process it. This network packet includes command code and the module\r\nID that has to perform that command. Known versions of the malware recognize five modules with different\r\ncommands:\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 3 of 11\n\nModule\r\nID\r\nSupported commands\r\n0x80\r\nServices management: list of services, creating, starting, stopping, deleting services\r\nManage running processes: terminating, retrieving module file name, processes token\r\nRegistry management\r\n0x81 Execution of arbitrary files or shell commands on infected system\r\n0x82 Traffic redirection via port forwarding: infected host is used as proxy\r\n0x84 Browsing the file system, uploading/downloading files\r\n0x240\r\nMain module control: removing the main module, stopping the main module, downloading and\r\nstarting DLL from the remote server (this DLL will be saved in %TEMP% as “tmp1.dat”),\r\nstarting network proxy\r\n1st type backdoor: remote shell library\r\nMD5 Size Linker Compiled on\r\n1C30032DC5435070466B9DC96F466F95 13’360 10.00 2012-12-19 17:12:12\r\nProperty Value\r\nProductVersion 6.1.2600.1569\r\nProductName Microsoft®Windows®Operating System\r\nCompanyName Microsoft Corporation\r\nFileDescription Microsoft update\r\nFileVersion 6.1.2600.1569\r\nAs was mentioned earlier, besides a network driver there was only one additional module included in the\r\ndiscovered versions of the Dersubi samples related to HDRoot – Remote Shell. The main malware module\r\ndecrypts, drops and runs it as the file “%Systemroot%Helpperfc009.dat”. This is the DLL with the internal name\r\nOffice.dll and one exported function R32. The library is run by executing the following command line:\r\nrundll32.exe %Systemroot%Helpperfc009.dat R32 \u003crandom_number\u003e\r\nwhere \u003crandom_number\u003e is a pre-shared value generated by the main module.\r\nThe Remote Shell library creates two named pipes used to communicate with the main module:\r\npipeusb\u003crandom_number\u003ei\r\npipeusb\u003crandom_number\u003eo\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 4 of 11\n\nThe command line from the operator for execution is expected to come through the pipe\r\npipeusb\u003crandom_number\u003eo. When this command comes a new process is created to execute it in the working\r\ndirectory %SystemDrive%. Standard input of the process that has just been created is set to be obtained from the\r\npipe pipeusb\u003crandom_number\u003eo, while output and STDERR are redirected into the parallel pipe\r\npipeusb\u003crando_number\u003ei. This means input to the executing program comes from an operator and the program’s\r\noutput goes back to him, framing an effective backdoor channel.\r\n2nd type backdoor: the dropper\r\nMD5 Size Linker Compiled on\r\n755351395AA920BC212DBF1D990809AB 266’240 6.00 2013-11-18 19:23:12\r\nWe were able to spot a sample that turned out to be a one-click installer of the backdoor with the use of HDRoot.\r\nThis is a Win32 executable compiled on 18 November 2013 according to its data stamp in the header. The\r\nexecutable includes resources “102” and “103” of custom type “MHM”. These are the executable of HDRoot\r\ninstaller and the installed backdoor.\r\nThe role of the installed backdoor is played by the executable maintained as the resource “102” and dropped as\r\nthe file %windir%bootmgr.exe. (Running a few steps forward we have to say that formally it’s not a backdoor but\r\na downloader.) The tool “HDD Rootkit” which is the resource “103” is dropped as %windir%hall32.exe. Then the\r\ndropper runs the following command line:\r\n%windir%hall32.exe inst %windir%bootmgr.exe c:\r\nthat instructs the HDRoot installer named hall32.exe to install the HDRoot bootkit onto the hard drive where disk\r\nC: is located with subsequent running of the downloader bootmgr.exe on system start-up.\r\nThere are other files specified in the dropper’s body that it checks for in the file system or which the malware uses\r\nin intermediate procedures:\r\n%windir%system32midimapbits.dll\r\n%windir%system32mpeg4c32.dll\r\n%windir%bootmgr.dat\r\nThe downloader\r\nMD5 Size Linker Compiled on\r\n11E461ED6250B50AFB70FBEE93320131 69’632 6.00 2013-11-18 19:22:30\r\nThe downloader bootmgr.exe was also compiled on 18 November 2013 like the dropper. According to the list\r\nspecified in its body, it downloads files by following URLs and runs them:\r\nhttp://www.gbutterfly.com/bbs/data/boot1.gif\r\nhttp://www.btdot.com/bbs/data/boot1.gif\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 5 of 11\n\nhttp://boot.ncook.net/bbs/data/boot1.gif\r\nhttp://www.funzone.co.kr/bbs/data/boot1.gif\r\nhttp://www.srsr.co.kr/bbs2/data/boot1.gif\r\nIf anything is available via these URLs, it is dropped onto the disk with one of the following file names and run:\r\n%windir%v3update000.exe\r\n%windir%v3update001.exe\r\n%windir%v3update002.exe\r\nThe downloader checks the size of the dropped file and only runs it if it is greater than 20896 bytes.\r\nIt turned out that this is a double downloader: it maintains another sample with downloading functionality in its\r\nbody. The malware drops it with the file name %windir%svchost.exe and subsequently runs it with the parameter\r\n“install”. For some reason, immediately after running the 2nd downloader the malware stops the work of the\r\nInternet Connection Sharing service with the command line:\r\ncmd.exe /c net stop sharedaccess\r\nThere are other files specified in the downloader’s body that it checks for in the file system:\r\n%windir%system32midimapbits.dll\r\n%windir%system32mpeg4c32.dll\r\n%windir%winurl.dat\r\nThe 2nd downloader\r\nMD5 Size Linker Compiled on\r\nACC4D57A98256DFAA5E2B7792948AAAE 22’016 6.00 2013-11-18 19:06:32\r\nThis malware is able to recognize two parameters: “install” and “remove”. In the installation branch it creates the\r\nauto-starting “Winlogon” service with the description “Provides automatic configuration for the 802.11 adapters”\r\nand adjusted to run its own executable. The “remove” parameter obviously leads to the deleting of this service.\r\nWhile running, the service decrypts the list of URLs included in its body and tries to download the content by\r\naddresses formed by appending “default.gif” to the URLs from the list. This is a complete decrypted list of URLs:\r\nhttp://www.netmarble.net/\r\nhttp://www.nexon.com/\r\nhttp://www.tistory.com/start/\r\nhttp://m.ahnlab.com/\r\nhttp://www.joinsmsn.com/\r\nhttp://fcst.co.kr/board/data/media/\r\nhttp://www.hangame.com/\r\nhttp://www.msn.com/\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 6 of 11\n\nhttp://adw.naver.com/\r\nhttp://www1.designrg.com/\r\nhttp://www.topani.com/\r\nhttp://www.nate.com/\r\nhttp://www.v3lite.com/\r\nhttp://www1.webschool.or.kr/\r\nhttp://snsdate.gndot.com/\r\nhttp://www.srsr.co.kr/bbs2/data/\r\nhttp://funzone.co.kr/bbs/data/\r\nhttp://www.moreuc.com/\r\nhttp://www1.ncook.net/\r\nAs you can see, this list includes sites of legitimate and trusted parties and they are unlikely to maintain malware\r\ncomponents. Because every site is generally not malicious, some of them were probably compromised, or else the\r\nmalware would not have been functional.\r\nThe content is downloaded into the file %windir%image.jpg. But this is only an intermediate stage. It should be a\r\ntext file that is parsed by the malware. The first line of that file should contain only numbers greater than 139; if\r\nnot, the malware skips processing that content. The second line is for the URL the malware should use to\r\ndownload an executable and the third line specifies the file name for the downloaded executable that is dropped\r\ninto the file system. After downloading the malware restores 2 bytes “MZ” at the very beginning of the dropped\r\nfile and runs it.\r\nAt the same time as it is downloading, the malware tries to remove specific antivirus software. On finding an\r\nuninstall command line in the registry the malware runs it and by manipulating the user interface buttons of the\r\napplication it tries to remove three AV products: AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s\r\nALYac. Although there is a process for those products only, the malware also includes inactive functions to disable\r\nNaver Vaccine and McAfee Security Center. The origin of those vendors clearly suggests that the malware was\r\nintended for targets in South Korea.\r\nSince the malware is already quite old we have not been able to download any relevant material from the URLs\r\nspecified both in the 1st and 2nd downloaders. Servers have been responding with nothing or pages stating the\r\nabsence of content.\r\nEarlier discovery\r\nWe were not actually the first AV company to encounter HDRoot malware face to face. At the end of 2013 South\r\nKorean AhnLab issued a comprehensive report on the ETSO Hacking group based on incident response cases\r\ntheir digital forensic team was working on. ETSO malware, according to AhnLab’s classification, mostly\r\ncorresponds to Winnti malware as we detect it. During their analysis AhnLab’s engineers discovered infected\r\nMBRs that, according to their description (pages 14-15, chapter “2.5 Maintain Network Presence”), sound like the\r\nresult of an HDRoot bootkit installer at work:\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 7 of 11\n\nAhnLab’s HDRoot scheme of work\r\nAlso, we know about incident handlers not necessarily from AV companies that are acquainted with the HDD\r\nRootkit utility. However, when it comes to detection, despite the fact that this dangerous threat is quite old,\r\nantivirus products were not that good at detecting it.\r\nStatistics\r\nAs expected, HDRoot infections prevail in Winnti’s traditional region of primary interest – South East Asia,\r\nespecially South Korea, according to KSN. But other parts of the world have also been affected and the extent and\r\nimpact of this threat may be significant.\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 8 of 11\n\nHDRoot-related malware hits\r\nIt’s important to point out that the numbers don’t represent the nature of the targets. It means that by simply\r\nlooking at the numbers we can’t see what sort of companies were attacked. Hence, the map may present a different\r\nstory from the reality in terms of probable damage for a particular country.\r\nFor example, we were involved in mitigating an HDRoot infection in two major companies in Russia and the UK\r\nwhere the malware was discovered on multiple servers with the use of our products. In both cases, the damage due\r\nto infection could be very significant, especially in Russia where many of the company’s customers could have\r\nbeen affected. However, on the map Russia is shown as having suffered just a single hit, while the UK has 23\r\nattacked systems.\r\nAlthough we have not found many malware families installed using HDRoot, and attribute known HDRoot-related activity to Winnti, we continue to assume that this bootkit may be used in multiple APT. We already know\r\nabout an overlap in Winnti activity and other APT from previous incidents. Taking into account the HDRoot\r\ninstaller’s nature as a standalone tool, it’s very possible that this bootkit could be in the hands of other threat\r\nactors.\r\nWe detect HDRoot malware with following verdicts:\r\nHacktool.Win32.HDRoot\r\nHacktool.Win64.HDRoot\r\nRootkit.Win32.HDRoot\r\nRootkit.Win64.HDRoot\r\nTrojan.Boot.HDRoot\r\nBackdoors and downloaders related to HDRoot bootkit:\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 9 of 11\n\nBackdoor.Win64.Winnti\r\nTrojan.Win32.Agentb.aemr\r\nTrojan.Win32.Genome.amvgd\r\nIndicators of Compromise\r\nSamples hashes\r\n2c85404fe7d1891fd41fcee4c92ad305\r\n4dc2fc6ad7d9ed9fcf13d914660764cd\r\n8062cbccb2895fb9215b3423cdefa396\r\nc7fee0e094ee43f22882fb141c089cea\r\nd0cb0eb5588eb3b14c9b9a3fa7551c28\r\na28fe3387ea5352b8c26de6b56ec88f0\r\n2b081914293f415e6c8bc9c2172f7e2a\r\n6ac4db5dcb874da2f61550dc950d08ff\r\n6ae7a087ef4185296c377b4eadf956a4\r\ne171d9e3fcb2eeccdc841cca9ef53fb8\r\nae7f93325ca8b1965502b18059f6e46a\r\ne07b5de475bbd11aab0719f9b5ba5654\r\nd200f9a9d2b7a44d20c31edb4384e62f\r\ncc7af071098d3c00fdd725457ab00b65\r\nc0118c58b6cd012467b3e35f7d7006ed\r\nc8daf9821ebc4f1923d6ddb5477a8bbd\r\n755351395aa920bc212dbf1d990809ab\r\n11e461ed6250b50afb70fbee93320131\r\nacc4d57a98256dfaa5e2b7792948aaae\r\n1c30032dc5435070466b9dc96f466f95\r\n7d1309ce050f32581b60841f82fc3399\r\nb10908408b153ce9fb34c2f0164b6a85\r\neb3fbfc79a37441590d9509b085aaaca\r\n3ad35274cf09a24c4ec44d547f1673e7\r\nf6004cfaa6dc53fd5bf32f7069f60e7a\r\nc5d59acb616dc8bac47b0ebd0244f686\r\ne19793ff58c04c2d439707ac65703410\r\n4dc2fc6ad7d9ed9fcf13d914660764cd\r\n8062cbccb2895fb9215b3423cdefa396\r\nc7fee0e094ee43f22882fb141c089cea\r\nd0cb0eb5588eb3b14c9b9a3fa7551c28\r\nFiles\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 10 of 11\n\n%windir%twain.dll\r\n%windir%systemolesvr.dll\r\n%windir%msvidc32.dll\r\n%windir%helpaccess.hlp\r\n%windir%syswow64C_932.NLS\r\n%windir%syswow64C_20949.NLS\r\n%windir%syswow64irclass.dll\r\n%windir%syswow64msvidc32.dll\r\n%windir%syswow64kmddsp.tsp\r\n%windir%tempsvchost.exe\r\n%System32%wbemntfs\u003c3 random chars\u003e.mof\r\n%System32%DriversLst_Update.sys\r\n%Systemroot%Helpperfc009.dat\r\n%windir%bootmgr.exe\r\n%windir%hall32.exe\r\n%windir%system32midimapbits.dll\r\n%windir%system32mpeg4c32.dll\r\n%windir%bootmgr.dat\r\n%windir%v3update000.exe\r\n%windir%v3update001.exe\r\n%windir%v3update002.exe\r\n%windir%svchost.exe\r\n%windir%winurl.dat\r\n%windir%image.jpg\r\nSource: https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nhttps://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/" ], "report_names": [ "i-am-hdroot-part-2" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05f8c949414f4a49d4635bd667b71d4476bf691c.pdf", "text": "https://archive.orkl.eu/05f8c949414f4a49d4635bd667b71d4476bf691c.txt", "img": "https://archive.orkl.eu/05f8c949414f4a49d4635bd667b71d4476bf691c.jpg" } }