JUST RELEASED: ATT&CK for Industrial Control Systems


KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[1][2]

ID: S0387
Platforms: Windows
Contributors: Bart Parys
Version: 1.1
Created: 14 June 2019
Last Modified: 11 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

KeyBoy can launch interactive shells for communicating with the victim machine.[2][3]

Enterprise T1043 Commonly Used Port

KeyBoy calls back to the C2 server over ports 53, 80, and 443.[2][3]

Enterprise T1503 Credentials from Web Browsers

KeyBoy attempts to collect passwords from browsers.[3]

Enterprise T1024 Custom Cryptographic Protocol

KeyBoy uses custom SSL libraries for C2 traffic.[2]

Enterprise T1173 Dynamic Data Exchange

KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.[2]

Enterprise T1203 Exploitation for Client Execution

KeyBoy exploits the vulnerability CVE-2012-0158 for execution.[3]

Enterprise T1083 File and Directory Discovery

KeyBoy has a command to launch a file browser or explorer on the system.[2]

Enterprise T1143 Hidden Window

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload.[2]

Enterprise T1056 Input Capture

KeyBoy installs a keylogger for intercepting credentials and keystrokes.[3]

Enterprise T1050 New Service

KeyBoy installs a service pointing to a malicious DLL dropped to disk.[3]

Enterprise T1027 Obfuscated Files or Information

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[1]

Enterprise T1086 PowerShell

KeyBoy uses PowerShell commands to download and execute payloads.[2]

Enterprise T1105 Remote File Copy

KeyBoy has a download and upload functionality.[2][3]

Enterprise T1113 Screen Capture

KeyBoy has a command to perform screen grabbing.[2]

Enterprise T1064 Scripting

KeyBoy uses Python and VBS scripts for installing files and performing execution.[1]

Enterprise T1082 System Information Discovery

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.[2][3]

Enterprise T1016 System Network Configuration Discovery

KeyBoy can determine the public or WAN IP address for the system.[2]

Enterprise T1099 Timestomp

KeyBoy time-stomped its DLL in order to evade detection.[2]

Enterprise T1004 Winlogon Helper DLL

KeyBoy issues the command reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[2][1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper [4] [5]