S1027 Heyoka Backdoor
Heyoka Backdoor is a custom backdoor–based on the Heyoka open source exfiltration tool–that has been used by Aoqin Dragon since at least 2013.12
| Item | Value |
|---|---|
| ID | S1027 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 July 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Heyoka Backdoor can use DNS tunneling for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Heyoka Backdoor can establish persistence with the auto start function including using the value EverNoteTrayUService.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Heyoka Backdoor can decrypt its payload prior to execution.1 |
| enterprise | T1083 | File and Directory Discovery | Heyoka Backdoor has the ability to search the compromised host for files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Heyoka Backdoor has the ability to delete folders and files from a targeted system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.1 |
| enterprise | T1027 | Obfuscated Files or Information | Heyoka Backdoor can encrypt its payload.1 |
| enterprise | T1120 | Peripheral Device Discovery | Heyoka Backdoor can identify removable media attached to victim’s machines.1 |
| enterprise | T1057 | Process Discovery | Heyoka Backdoor can gather process information.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Heyoka Backdoor can inject a DLL into rundll32.exe for execution.1 |
| enterprise | T1572 | Protocol Tunneling | Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Heyoka Backdoor can use rundll32.exe to gain execution.1 |
| enterprise | T1082 | System Information Discovery | Heyoka Backdoor can enumerate drives on a compromised host.1 |
| enterprise | T1007 | System Service Discovery | Heyoka Backdoor can check if it is running as a service on a compromised host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Heyoka Backdoor has been spread through malicious document lures.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1007 | Aoqin Dragon | 1 |