S1051 KEYPLUG
KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.1
| Item | Value |
|---|---|
| ID | S1051 |
| Associated Names | KEYPLUG.LINUX |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 December 2022 |
| Last Modified | 12 December 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| KEYPLUG.LINUX | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | KEYPLUG can decode its configuration file to determine C2 protocols.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.1 |
| enterprise | T1095 | Non-Application Layer Protocol | |
| KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.1 | |||
| enterprise | T1027 | Obfuscated Files or Information | KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.1 |
| enterprise | T1090 | Proxy | KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.1 |
| enterprise | T1124 | System Time Discovery | KEYPLUG can obtain the current tick count of an infected computer.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | The KEYPLUG Windows variant has retrieved C2 addresses from encoded data in posts on tech community forums.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 1 |