Heyoka Backdoor

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[1][2]

ID: S1027
Platforms: Windows
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.1
Created: 25 July 2022
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Heyoka Backdoor can use DNS tunneling for C2 communications.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Heyoka Backdoor can establish persistence with the auto start function including using the value EverNoteTrayUService.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Heyoka Backdoor can decrypt its payload prior to execution.[1]

Enterprise T1083 File and Directory Discovery

Heyoka Backdoor has the ability to search the compromised host for files.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Heyoka Backdoor has the ability to delete folders and files from a targeted system.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Heyoka Backdoor can encrypt its payload.[1]

Enterprise T1120 Peripheral Device Discovery

Heyoka Backdoor can identify removable media attached to victim's machines.[1]

Enterprise T1057 Process Discovery

Heyoka Backdoor can gather process information.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.[1]

Enterprise T1572 Protocol Tunneling

Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Heyoka Backdoor can use rundll32.exe to gain execution.[1]

Enterprise T1082 System Information Discovery

Heyoka Backdoor can enumerate drives on a compromised host.[1]

Enterprise T1007 System Service Discovery

Heyoka Backdoor can check if it is running as a service on a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

Heyoka Backdoor has been spread through malicious document lures.[1]

Groups That Use This Software

ID Name References
G1007 Aoqin Dragon