KEYPLUG

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.^[1]

ID: S1051

ⓘ

Associated Software: KEYPLUG.LINUX

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux, Windows

Version: 1.1

Created: 12 December 2022

Last Modified: 11 April 2024

Live Version

Associated Software Descriptions

Name	Description
KEYPLUG.LINUX	^[1]

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	KEYPLUG can decode its configuration file to determine C2 protocols.^[1]
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.^[1]
Enterprise	T1095		Non-Application Layer Protocol	KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.^[1]
Enterprise	T1090		Proxy	KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.^[1]
Enterprise	T1124		System Time Discovery	KEYPLUG can obtain the current tick count of an infected computer.^[1]
Enterprise	T1102	.001	Web Service: Dead Drop Resolver	The KEYPLUG Windows variant has retrieved C2 addresses from encoded data in posts on tech community forums.^[1]

ID	Name	References
G0096	APT41	^[1]

ID	Name	Description
C0017	C0017	^[1]