Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Heyoka Backdoor

Heyoka Backdoor

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used byAoqin Dragon since at least 2013.[1][2]

ID: S1027
Type: MALWARE
Platforms: Windows
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India
Version: 1.1
Created: 25 July 2022
Last Modified: 11 April 2024
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.004Application Layer Protocol:DNS

Heyoka Backdoor can use DNS tunneling for C2 communications.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Heyoka Backdoor can establish persistence with the auto start function including using the valueEverNoteTrayUService.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

Heyoka Backdoor can decrypt its payload prior to execution.[1]

EnterpriseT1083File and Directory Discovery

Heyoka Backdoor has the ability to search the compromised host for files.[1]

EnterpriseT1070.004Indicator Removal:File Deletion

Heyoka Backdoor has the ability to delete folders and files from a targeted system.[1]

EnterpriseT1680Local Storage Discovery

Heyoka Backdoor can enumerate drives on a compromised host.[1]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

Heyoka Backdoor has been namedsrvdll.dll to appear as a legitimate service.[1]

EnterpriseT1027.013Obfuscated Files or Information:Encrypted/Encoded File

Heyoka Backdoor can encrypt its payload.[1]

EnterpriseT1120Peripheral Device Discovery

Heyoka Backdoor can identify removable media attached to victim's machines.[1]

EnterpriseT1057Process Discovery

Heyoka Backdoor can gather process information.[1]

EnterpriseT1055.001Process Injection:Dynamic-link Library Injection

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.[1]

EnterpriseT1572Protocol Tunneling

Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.[1]

EnterpriseT1218.011System Binary Proxy Execution:Rundll32

Heyoka Backdoor can use rundll32.exe to gain execution.[1]

EnterpriseT1007System Service Discovery

Heyoka Backdoor can check if it is running as a service on a compromised host.[1]

EnterpriseT1204.002User Execution:Malicious File

Heyoka Backdoor has been spread through malicious document lures.[1]

Groups That Use This Software

IDNameReferences
G1007Aoqin Dragon

[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp