S0387 KeyBoy
KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.23
| Item | Value |
|---|---|
| ID | S0387 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 14 June 2019 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.004 | Winlogon Helper DLL | KeyBoy issues the command reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” to achieve persistence.3 2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | KeyBoy uses PowerShell commands to download and execute payloads.3 |
| enterprise | T1059.003 | Windows Command Shell | KeyBoy can launch interactive shells for communicating with the victim machine.31 |
| enterprise | T1059.005 | Visual Basic | KeyBoy uses VBS scripts for installing files and performing execution.2 |
| enterprise | T1059.006 | Python | KeyBoy uses Python scripts for installing files and performing execution.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | KeyBoy installs a service pointing to a malicious DLL dropped to disk.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | KeyBoy attempts to collect passwords from browsers.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol Impersonation | KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.3 |
| enterprise | T1083 | File and Directory Discovery | KeyBoy has a command to launch a file browser or explorer on the system.3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. 3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | KeyBoy time-stomped its DLL in order to evade detection.3 |
| enterprise | T1105 | Ingress Tool Transfer | KeyBoy has a download and upload functionality.31 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | KeyBoy installs a keylogger for intercepting credentials and keystrokes.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.3 |
| enterprise | T1027 | Obfuscated Files or Information | In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.2 |
| enterprise | T1113 | Screen Capture | KeyBoy has a command to perform screen grabbing.3 |
| enterprise | T1082 | System Information Discovery | KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.31 |
| enterprise | T1016 | System Network Configuration Discovery | KeyBoy can determine the public or WAN IP address for the system.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0081 | Tropic Trooper | 45 |
References
-
Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. ↩↩↩↩↩↩
-
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. ↩↩↩↩↩
-
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. ↩
-
Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019. ↩