Skip to content

S1020 Kevin

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.1

Item Value
ID S1020
Associated Names
Version 1.0
Created 14 June 2022
Last Modified 31 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Variants of Kevin can communicate with C2 over HTTP.1
enterprise T1071.004 DNS Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Kevin can use a renamed image of cmd.exe for execution.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Kevin can Base32 encode chunks of output files during exfiltration.1
enterprise T1005 Data from Local System Kevin can upload logs and other data from a compromised host.1
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.1
enterprise T1074 Data Staged Kevin can create directories to store logs and other collected data.1
enterprise T1030 Data Transfer Size Limits Kevin can exfiltrate data to the C2 server in 27-character chunks.1
enterprise T1041 Exfiltration Over C2 Channel Kevin can send data from the victim host through a DNS C2 channel.1
enterprise T1008 Fallback Channels Kevin can assign hard-coded fallback domains for C2.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Kevin can hide the current window from the targeted user via the ShowWindow API function.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Kevin can delete files created on the victim’s machine.1
enterprise T1105 Ingress Tool Transfer Kevin can download files to the compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.003 Rename System Utilities Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.1
enterprise T1106 Native API Kevin can use the ShowWindow API to avoid detection.1
enterprise T1027 Obfuscated Files or Information Kevin has Base64-encoded its configuration file.1
enterprise T1572 Protocol Tunneling Kevin can use a custom protocol tunneled through DNS or HTTP.1
enterprise T1082 System Information Discovery Kevin can enumerate the OS version and hostname of a targeted machine.1
enterprise T1016 System Network Configuration Discovery Kevin can collect the MAC address and other information from a victim machine using ipconfig/all.1
enterprise T1497 Virtualization/Sandbox Evasion Kevin can sleep for a time interval between C2 communication attempts.1

Groups That Use This Software

ID Name References
G1001 HEXANE 1