Skip to content

S1027 Heyoka Backdoor

Heyoka Backdoor is a custom backdoor–based on the Heyoka open source exfiltration tool–that has been used by Aoqin Dragon since at least 2013.12

Item Value
ID S1027
Associated Names
Version 1.0
Created 25 July 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS Heyoka Backdoor can use DNS tunneling for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Heyoka Backdoor can establish persistence with the auto start function including using the value EverNoteTrayUService.1
enterprise T1140 Deobfuscate/Decode Files or Information Heyoka Backdoor can decrypt its payload prior to execution.1
enterprise T1083 File and Directory Discovery Heyoka Backdoor has the ability to search the compromised host for files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Heyoka Backdoor has the ability to delete folders and files from a targeted system.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.1
enterprise T1027 Obfuscated Files or Information Heyoka Backdoor can encrypt its payload.1
enterprise T1120 Peripheral Device Discovery Heyoka Backdoor can identify removable media attached to victim’s machines.1
enterprise T1057 Process Discovery Heyoka Backdoor can gather process information.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Heyoka Backdoor can inject a DLL into rundll32.exe for execution.1
enterprise T1572 Protocol Tunneling Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Heyoka Backdoor can use rundll32.exe to gain execution.1
enterprise T1082 System Information Discovery Heyoka Backdoor can enumerate drives on a compromised host.1
enterprise T1007 System Service Discovery Heyoka Backdoor can check if it is running as a service on a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Heyoka Backdoor has been spread through malicious document lures.1

Groups That Use This Software

ID Name References
G1007 Aoqin Dragon 1