S1020 Kevin
Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.1
| Item | Value |
|---|---|
| ID | S1020 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 14 June 2022 |
| Last Modified | 31 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Variants of Kevin can communicate with C2 over HTTP.1 |
| enterprise | T1071.004 | DNS | Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Kevin can use a renamed image of cmd.exe for execution.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Kevin can Base32 encode chunks of output files during exfiltration.1 |
| enterprise | T1005 | Data from Local System | Kevin can upload logs and other data from a compromised host.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.1 |
| enterprise | T1074 | Data Staged | Kevin can create directories to store logs and other collected data.1 |
| enterprise | T1030 | Data Transfer Size Limits | Kevin can exfiltrate data to the C2 server in 27-character chunks.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Kevin can send data from the victim host through a DNS C2 channel.1 |
| enterprise | T1008 | Fallback Channels | Kevin can assign hard-coded fallback domains for C2.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Kevin can hide the current window from the targeted user via the ShowWindow API function.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Kevin can delete files created on the victim’s machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | Kevin can download files to the compromised host.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.003 | Rename System Utilities | Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.1 |
| enterprise | T1106 | Native API | Kevin can use the ShowWindow API to avoid detection.1 |
| enterprise | T1027 | Obfuscated Files or Information | Kevin has Base64-encoded its configuration file.1 |
| enterprise | T1572 | Protocol Tunneling | Kevin can use a custom protocol tunneled through DNS or HTTP.1 |
| enterprise | T1082 | System Information Discovery | Kevin can enumerate the OS version and hostname of a targeted machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | Kevin can collect the MAC address and other information from a victim machine using ipconfig/all.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Kevin can sleep for a time interval between C2 communication attempts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | 1 |