1. Home
  2. Software
  3. Heyoka Backdoor

Heyoka Backdoor

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[1][2]

ID: S1027
Type: MALWARE
Platforms: Windows
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.1
Created: 25 July 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.[1]
Enterprise T1572 协议隧道

Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.[1]
Enterprise T1140 反混淆/解码文件或信息

Heyoka Backdoor can decrypt its payload prior to execution.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Heyoka Backdoor can establish persistence with the auto start function including using the value EverNoteTrayUService.[1]
Enterprise T1120 外围设备发现

Heyoka Backdoor can identify removable media attached to victim's machines.[1]
Enterprise T1071 .004 应用层协议: DNS

Heyoka Backdoor can use DNS tunneling for C2 communications.[1]
Enterprise T1083 文件和目录发现

Heyoka Backdoor has the ability to search the compromised host for files.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Heyoka Backdoor can encrypt its payload.[1]
Enterprise T1204 .002 用户执行: Malicious File

Heyoka Backdoor has been spread through malicious document lures.[1]
Enterprise T1070 .004 移除指标: File Deletion

Heyoka Backdoor has the ability to delete folders and files from a targeted system.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Heyoka Backdoor can use rundll32.exe to gain execution.[1]
Enterprise T1082 系统信息发现

Heyoka Backdoor can enumerate drives on a compromised host.[1]
Enterprise T1007 系统服务发现

Heyoka Backdoor can check if it is running as a service on a compromised host.[1]
Enterprise T1057 进程发现

Heyoka Backdoor can gather process information.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.[1]

Groups That Use This Software

ID Name References
G1007 Aoqin Dragon

[1]

References

  1. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  1. Sourceforge. (n.d.). Heyoka POC Exfiltration Tool. Retrieved October 11, 2022.