Skip to content

S0387 KeyBoy

KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.23

Item Value
ID S0387
Associated Names
Version 1.2
Created 14 June 2019
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.004 Winlogon Helper DLL KeyBoy issues the command reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” to achieve persistence.3 2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell KeyBoy uses PowerShell commands to download and execute payloads.3
enterprise T1059.003 Windows Command Shell KeyBoy can launch interactive shells for communicating with the victim machine.31
enterprise T1059.005 Visual Basic KeyBoy uses VBS scripts for installing files and performing execution.2
enterprise T1059.006 Python KeyBoy uses Python scripts for installing files and performing execution.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service KeyBoy installs a service pointing to a malicious DLL dropped to disk.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers KeyBoy attempts to collect passwords from browsers.1
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.3
enterprise T1083 File and Directory Discovery KeyBoy has a command to launch a file browser or explorer on the system.3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. 3
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp KeyBoy time-stomped its DLL in order to evade detection.3
enterprise T1105 Ingress Tool Transfer KeyBoy has a download and upload functionality.31
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging KeyBoy installs a keylogger for intercepting credentials and keystrokes.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.3
enterprise T1027 Obfuscated Files or Information In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.2
enterprise T1113 Screen Capture KeyBoy has a command to perform screen grabbing.3
enterprise T1082 System Information Discovery KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.31
enterprise T1016 System Network Configuration Discovery KeyBoy can determine the public or WAN IP address for the system.3

Groups That Use This Software

ID Name References
G0081 Tropic Trooper 45