{
	"id": "ce07e642-68e0-4887-99bb-2105a01d895c",
	"created_at": "2026-04-06T00:16:16.182491Z",
	"updated_at": "2026-04-10T03:21:53.735065Z",
	"deleted_at": null,
	"sha1_hash": "f0a1f09a70deceb06127742f5ec35835fe26b568",
	"title": "Hussarini – Targeted Cyber Attack in the Philippines",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 610482,
	"plain_text": "Hussarini – Targeted Cyber Attack in the Philippines\r\nPublished: 2018-07-08 · Archived: 2026-04-05 17:53:14 UTC\r\nTwo weeks ago, FortiGuard Labs spotted a malicious document with the politically themed file name “Draft PH-US Dialogue on Cyber Security.doc”. This document takes advantage of the vulnerability CVE-2017-11882. Upon\r\nsuccessful exploitation, it drops a malware in the victim’s %temp% directory.\r\nOur analysis of this malware shows that it belongs to Hussarini, also known as Sarhust, a backdoor family that\r\nhas been used actively in APT attacks targeting countries in the ASEAN region since 2014.\r\nAccording to reports, the Philippines is the most exposed country in ASEAN to the cyberattacks known as\r\nadvanced persistent threats, or APTs. After several massive data breaches in 2016, the Philippines started to invest\r\nin beefing up their defences against cyberattacks. In spite of these investments, however, the Philippines is still\r\namong the most prone countries to be targeted by these sorts of APT attacks.\r\nExploit Document\r\nOur analysis begins with the exploit document named “Draft PH-US Dialogue on Cyber Security.doc” that takes\r\nadvantage of the CVE-2017-11882 vulnerability. Upon successful exploitation, the malicious document file drops\r\ntwo files in the %Temp% directory.\r\n·       Outllib.dll\r\n·       OutExtra.exe\r\nOutExtra.exe is a signed legitimate application from Microsoft named finder.exe. This file is part of the Microsoft\r\nOffice suite and can be used to find keywords within Outlook data files. However, in this attack, this file is used to\r\nload the Hussarini backdoor via DLL hijacking.\r\nDLL hijacking is a technique used by some APT malware in which instead of the legitimate application (.exe)\r\nloading the benign DLL, the application is tricked into loading a DLL containing malicious code. Using this\r\ntechnique, a malware can evade the Host Intrusion Prevention System (HIPS) of security programs that monitor\r\nthe behaviors of executed files. Most HIPS tools whitelist signed or trusted files, thereby excluding any malware\r\nloaded using DLL hijacking by those signed files from any behavior monitoring. In the context of this attack,\r\nOutExtra.exe is a signed legitimate application; however, it is tricked into loading a malware file that is disguised\r\nas the legitimate Outllib.dll file.\r\nDecoy Document\r\nTo avoid suspicion by the victim, the exploit downloads a decoy document from the legitimate-seeming\r\nhxxp://157.52.167.71:29317/office/word/2003/ph2/philip.varilla. During our analysis, though, the download link\r\nfor the decoy document was already down.\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 1 of 9\n\nHowever, taking a look at the URI, we spotted several clues as to where/from whom the hacker possibly wants the\r\nuser to believe the document came from. First is the “ph2,” which could mean “ph” for Philippines and “2” as its\r\nsecond directory of decoy documents. And second is “philip.varilla”. A quick Google search on this name led us to\r\nthe Service Director of the Philippines Department of Information and Communications Technology (DICT), who\r\nhas the same name. DICT is the agency responsible for the planning, development, and promotion of the\r\nPhilippines’ information and communications technology including cybersecurity.\r\nHussarini\r\nIn fact, the file Outllib.dll is actually the Hussarini backdoor, a DLL which exports functions containing the\r\nmalicious code. When the file OutExtra.exe is executed, some of these functions are called, effectively executing\r\nits malicious code.\r\nFig 1. Hussarini export functions\r\nWhile the original Outllib.dll also has some of the functions above, notice that this backdoor has a lot more\r\nexported functions than just the backdoor DLL.\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 2 of 9\n\nFig 2. Export functions of the original Outllib.dll file\r\nThere is also a big difference in the file size. The original Outllib.dll has a file size range of 4-8 MB, depending on\r\nthe version, but the fake file only ranges from 40-50 KB. One of the reasons for this big difference in file size is\r\nthat only one of the exported functions of the backdoor DLL contains the malicious code. All of the others are just\r\nRETN functions that do nothing.\r\nThus, we will focus our analysis on the function that contains the backdoor code named RenInitInstance@12. This\r\nfunction begins by instantiating a class initializing the setting of the bot. It then creates two concurrent threads\r\ntaking the created object as its parameter.\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 3 of 9\n\nFig 3. Hussarini main function\r\nThe first thread acts as a client thread that is responsible for communicating with the command and control (C\u0026C)\r\nserver and listening for commands. The response is then parsed and passed to the second thread that acts as the\r\nworker. The worker thread executes the commands and reports the result to the client thread.\r\nBefore communicating with its command and control (C\u0026C), the malware saves a ServerID in the registry with a\r\nrandomly generated value. This ID identifies this bot in the botnet. \r\nFig 4. Bot ServerID\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 4 of 9\n\nC\u0026C Communication\r\nInterestingly, there’s a private IP address 10.1.0.105 in the code that may have been used as a test C\u0026C server.\r\nThis IP address is replaced at runtime with the real C\u0026C publicdfaph.publicvm.com.\r\nWhen communicating with its C\u0026C, Hussarini uses its own custom protocol encoded with base64, which is sent\r\nover HTTP. Due to the high-level nature of the code and limited analysis time, we were not able to identify all the\r\nfields of the protocol, but knowing some important parts is enough to understand how the communication works.\r\nFig 5. Hussarini protocol\r\nThe initial data it sends contains the generated ServerID, the size, and the checksum of the message. This data is\r\nencoded with base64 and sent as an argument to the HTTP GET request. \r\nFig 6. Initial message to the command and control server\r\nThe response from the C\u0026C is enclosed with the tag \u003cCHECK\u003e\u003c/CHECK\u003e. The data in between is also base64\r\nencoded. When decoded, we can see that it follows the same data structure as the initial message.\r\nFig 7. Initial response from the command and control server\r\nAfter the check, the malware gets the following system information, which it sends to the C\u0026C via an HTTP\r\nPOST request:\r\n·       User name, Computer Name, OS, and CPU information\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 5 of 9\n\nFig 8. Sending of machine information to the C\u0026C\r\nIt took a while before we were able to receive commands from the C\u0026C, and when we did we suddenly lost\r\nconnection to the C\u0026C, which could mean that the hacker controls the C\u0026C manually. The connection disruption\r\ncould be because the attacker detected that the bot was being analysed and blocked our analysis environment from\r\ncommunicating with the C\u0026C, or just that the machine is not interesting to performing further attacks. The\r\nreceived data was enclosed with the tag \u003cCOMMAND\u003e\u003c/COMMAND\u003e, encoded with base64, and still follows\r\nthe same data structure of the protocol when decoded. The commands are pretty obvious since its strings are not\r\nencrypted after decoding the data.\r\nFig 9. Receiving commands from the C\u0026C\r\nThe first command includes the string “cache.txt”. The worker thread is called with this command to create the\r\nfollowing files in the same directory where the malware is running.\r\n·       cache.txt\r\n·       cache.txt.cfg\r\nThe second command contains commands for the Command Prompt (cmd.exe).\r\nFig 10. Receiving next commands from the C\u0026C\r\nThe following cmd commands sent from the C\u0026C are then passed to the worker thread and written to cache.txt.\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 6 of 9\n\nFig 11. Commands written in cache.txt\r\nThe description of the commands written on cache.txt are as follows:\r\n·       systeminfo – get the systeminfo of the computer\r\n·       arp –a – view the mapping of IP addresses to MAC addresses\r\n·       ipconfig /all – display all current TCP/IP network configuration values\r\n·       netstat -ano -  displays protocols statistics and current TCP/IP network connections\r\n·       tasklist -v – list of apps and services with their Process ID (PID) for all task running\r\n·       net start – starts any of the various services that are running\r\n·       net view – displays the other computers that are visible on the network\r\n·       dir \"c:\\users\" /o-d – displays all users\r\nAfter sending these cmd commands, the C\u0026C stopped responding. It could be that the hacker decided to block the\r\nconnection after seeing the result of these commands.\r\nBased on its code, this malware is capable of executing the following commands from the hacker:\r\n·       Create, read, write files\r\n·       Download and execute files/components\r\n·       Launch remote shell using cmd.exe\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 7 of 9\n\nWhile other APT backdoors have more capabilities, such as keylogging, taking screen shots, etc., Hussarini only\r\nhas few, including the capability to download and execute files/components. However, its functionality can be\r\nextended by the hacker. Also, since this backdoor can launch a remote cmd shell, all cmd commands are available\r\nfor the attacker to use, such as those seen in Figure 11.\r\nHussarini uses a dynamic domain to maintain anonymity and to also possibly be able to change the C\u0026C server IP\r\naddress. At the time of this analysis, however, we only saw it resolved to the IP address 157.52.167.71, which is\r\nthe same IP used to host the decoy document.\r\nFig 12. C\u0026C domain name resolution\r\nFinal thoughts\r\nWe are unsure how the document is being distributed; however, taking a look at the C\u0026C domain name\r\npublicdfaph.publicvm.com and considering the file name of the exploit document “Draft PH-US Dialogue on\r\nCyber Security.doc” and the clues from the decoy document download link\r\nhxxp://157.52.167.71:29317/office/word/2003/ph2/philip.varilla, there is one scenario that seems to make the\r\nmost sense.\r\nIt seems likely that the names used were crafted to make it look like the document came from the Department of\r\nInformation and Communications Technology (DICT), or possibly from the Service Director, which would imply\r\nthat the employees of the Department of Foreign Affairs (DFA) are the target. Clearly, the use of publicdfaph in\r\nthe C\u0026C domain name is used to camouflage the traffic and to trick a network administrator into thinking that this\r\ndomain is under DFA so as not to raise any suspicion.\r\nConclusion\r\nHussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014. Today, this\r\nmalware is still actively being used against the Philippines. The Department of Information and Communications\r\nTechnology was only formed in 2016 and has acknowledged that the Philippines’ state of cybersecurity is still in\r\ninfancy. In general, this contributes to the Philippines continuing to be a target for cybercrime/cyberespionage or\r\neven state-sponsored attacks. Because of this, we expect that attacks targeting that region will continue to evolve\r\nin both quantity and quality. As always, we here at FortiGuard Labs will continue to monitor events in order to\r\nhunt for, catch, and block these attacks.\r\nSolution:\r\nFortinet detects the exploit document as MSOffice/CVE_2017_11882.A!tr and the Hussarini samples as\r\nW32/Sarhust.D!tr. Malicious URLs related to this malware are also blocked by FortiGuard Web Filtering Service.\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 8 of 9\n\n-= FortiGuard Lion Team =-\r\nIOCs:\r\nSHA256:\r\n154261a4aab73f1ceef28695d8837902cc1e8b5cca0b8fc81ddeda350564adc0 - MSOffice/CVE_2017_11882.A!tr\r\n05dcc7856661244d082daa88a074d2f266c70623789a7bb5a919282b178d8f98 - W32/Sarhust.D!tr\r\nCC:\r\nhxxp://157.52.167.71:29317/office/word/2003/ph2/philip.varilla\r\nhxxp://publicdfaph.publicvm.com:8080/\r\nCheck out our latest Quarterly Threat Landscape Report for more details about recent threats.\r\nSign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nhttps://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html"
	],
	"report_names": [
		"hussarini---targeted-cyber-attack-in-the-philippines.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0a1f09a70deceb06127742f5ec35835fe26b568.pdf",
		"text": "https://archive.orkl.eu/f0a1f09a70deceb06127742f5ec35835fe26b568.txt",
		"img": "https://archive.orkl.eu/f0a1f09a70deceb06127742f5ec35835fe26b568.jpg"
	}
}