KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. [1]

ID: S0271
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceKEYMARBLE can execute shell commands using cmd.exe.[1]
EnterpriseT1043Commonly Used PortKEYMARBLE uses port 443 for C2.[1]
EnterpriseT1024Custom Cryptographic ProtocolKEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.[1]
EnterpriseT1083File and Directory DiscoveryKEYMARBLE has a command to search for files on the victim’s machine.[1]
EnterpriseT1107File DeletionKEYMARBLE has the capability to delete files off the victim’s machine.[1]
EnterpriseT1112Modify RegistryKEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.[1]
EnterpriseT1057Process DiscoveryKEYMARBLE can obtain a list of running processes on the system.[1]
EnterpriseT1105Remote File CopyKEYMARBLE can upload files to the victim’s machine and can download additional payloads.[1]
EnterpriseT1113Screen CaptureKEYMARBLE can capture screenshots of the victim’s machine.[1]
EnterpriseT1082System Information DiscoveryKEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.[1]
EnterpriseT1016System Network Configuration DiscoveryKEYMARBLE gathers the MAC address of the victim’s machine.[1]


Groups that use this software:

Lazarus Group