What is Hacker's Door? Old sophisticated Chinese Trojan resurfaces after more than a decade
Cylance researchers said the malware shared many traits with an old 2004 Chinese backdoor.
Security researchers have discovered a sophisticated remote access trojan (RAT) named "Hacker's Door" that has resurfaced more than a decade after it first popped up in 2004 and was updated with new features in 2005. Cylance researchers said a new sample of the malware shared many traits with the old 2004 Chinese backdoor of the same name, but has now been updated to run on newer operating systems and modern 64-bit platforms.
Researchers said the malware seems to be operated by the Chinese advanced persistent threat (APT) hacker group Winnti.
The newer version of the malware includes a backdoor along with a rootkit driver that is used for covert communications, Cylance said in a blog post published on Tuesday (17 October). Once activated, the RAT is able to gather system information, grab screenshots and files, secretly download additional files and even run other processes and commands.
The malware can also list and kill other processes, open Telnet and remote access ports and extract a Windows user's credentials from the ongoing session. Researchers said the malware can support up to Windows 8.1.
Cylance researchers said the old, largely-undocumented RAT has not easily been found in-the-wild.
"The recent discovery of a new version, updated for modern Operating Systems, signed with a stolen certificate and actively employed as part of an ongoing compromise is interesting, as it once again shows that threat actors are comfortable relying on third-party tools to reduce development time/costs for malware that will likely be uncovered," researchers said.
The malware is being privately sold by the original author "yyt_hac" and is signed with a stolen certificate. The recent updates to Hacker's Door also showed that it is currently undergoing "active development".
"Despite the author stating, 'please do not use for illegal purposes', they continue to profit from the sale of this aggressive remote access tool," Cylance said. "It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes 'Hacker's Door' the perfect RAT for any adversary's arsenal."