Register to stream ATT&CKcon 2.0 October 29-30


KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[1][2]

ID: S0387
Platforms: Windows
Contributors: Bart Parys
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface KeyBoy can launch interactive shells for communicating with the victim machine. [2] [3]
Enterprise T1043 Commonly Used Port KeyBoy calls back to the C2 server over ports 53, 80, and 443. [2] [3]
Enterprise T1024 Custom Cryptographic Protocol KeyBoy uses custom SSL libraries for C2 traffic. [2]
Enterprise T1173 Dynamic Data Exchange KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads. [2]
Enterprise T1203 Exploitation for Client Execution KeyBoy exploits the vulnerability CVE-2012-0158 for execution. [3]
Enterprise T1083 File and Directory Discovery KeyBoy has a command to launch a file browser or explorer on the system. [2]
Enterprise T1056 Input Capture KeyBoy installs a keylogger for intercepting credentials and keystrokes. [3]
Enterprise T1050 New Service KeyBoy installs a service pointing to a malicious DLL dropped to disk. [3]
Enterprise T1027 Obfuscated Files or Information In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware. [1]
Enterprise T1086 PowerShell KeyBoy uses PowerShell commands to download and execute payloads. [2]
Enterprise T1105 Remote File Copy KeyBoy has a download and upload functionality. [2] [3]
Enterprise T1113 Screen Capture KeyBoy has a command to perform screen grabbing. [2]
Enterprise T1064 Scripting KeyBoy uses Python and VBS scripts for installing files and performing execution. [1]
Enterprise T1082 System Information Discovery KeyBoy can gather extended system information, such as information about the operating system, disks, and memory. [2] [3]
Enterprise T1016 System Network Configuration Discovery KeyBoy can determine the public or WAN IP address for the system. [2]
Enterprise T1099 Timestomp KeyBoy time-stomped its DLL in order to evade detection. [2]
Enterprise T1004 Winlogon Helper DLL KeyBoy issues the command reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” to achieve persistence. [2] [1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper [4] [5]