Contributors: Bart Parys
|Enterprise||T1059||Command-Line Interface||KeyBoy can launch interactive shells for communicating with the victim machine.  |
|Enterprise||T1043||Commonly Used Port||KeyBoy calls back to the C2 server over ports 53, 80, and 443.  |
|Enterprise||T1024||Custom Cryptographic Protocol||KeyBoy uses custom SSL libraries for C2 traffic. |
|Enterprise||T1173||Dynamic Data Exchange||KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads. |
|Enterprise||T1203||Exploitation for Client Execution||KeyBoy exploits the vulnerability CVE-2012-0158 for execution. |
|Enterprise||T1083||File and Directory Discovery||KeyBoy has a command to launch a file browser or explorer on the system. |
|Enterprise||T1056||Input Capture||KeyBoy installs a keylogger for intercepting credentials and keystrokes. |
|Enterprise||T1050||New Service||KeyBoy installs a service pointing to a malicious DLL dropped to disk. |
|Enterprise||T1027||Obfuscated Files or Information||In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware. |
|Enterprise||T1086||PowerShell||KeyBoy uses PowerShell commands to download and execute payloads. |
|Enterprise||T1105||Remote File Copy||KeyBoy has a download and upload functionality.  |
|Enterprise||T1113||Screen Capture||KeyBoy has a command to perform screen grabbing. |
|Enterprise||T1064||Scripting||KeyBoy uses Python and VBS scripts for installing files and performing execution. |
|Enterprise||T1082||System Information Discovery||KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.  |
|Enterprise||T1016||System Network Configuration Discovery||KeyBoy can determine the public or WAN IP address for the system. |
|Enterprise||T1099||Timestomp||KeyBoy time-stomped its DLL in order to evade detection. |
|Enterprise||T1004||Winlogon Helper DLL||
KeyBoy issues the command
Groups That Use This Software
|G0081||Tropic Trooper|| |
- Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
- Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
- Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.