# Delivery (Key)Boy

**alienvault.com/blogs/labs-research/delivery-keyboy**

[1. AT&T Cybersecurity](https://cybersecurity.att.com/)
[2. Blog](https://cybersecurity.att.com/blogs)

October 8, 2018 | [Chris Doman](https://www.alienvault.com/blogs/author/chris-doman)

## Introduction

Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers
[believed to operate out of China. They were first identified in 2013 targeting governments and](https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/)
NGOs in South East Asia. Their primary targeting continues to this day, though they have also been
[known to target more diverse victims such as the energy sector.](https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/)

## Malware Delivery through Open Source Exploit Kits

[KeyBoy sent the following email to India's](https://www.virustotal.com/#/file/91dfd19376574039bc80f3af5de341dd8927993ceb5dbb269c375c150a2c3e20/detection) [Ambassador to Ethiopia from an email address at nic[.]in,](http://indembassyeth.in/list-officers)
India's National Informatics Centre.


-----

The file [f43f60b62002d0700ccbcbd9334520b6](https://www.virustotal.com/#/file/91dfd19376574039bc80f3af5de341dd8927993ceb5dbb269c375c150a2c3e20/detection)

[The attached malicious document downloads and executes a script that installs the final payload:](https://www.hybrid-analysis.com/sample/90499b87dbf34b01b7a899fff943d6d5462e8ef6a42aabd0449c99205302440e/5b079ba17ca3e129ad12a80e)

[This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-](https://github.com/bhdresh/CVE-2017-0199)
0199 exploit available on GitHub.


-----

[We ve seen other malicious documents where KeyBoy have tested another exploit generator. In](https://www.virustotal.com/en/file/5237f270c2909eb5d851633f92eb067db4a1d1b91fb80890863fa0e8a2f8d33c/analysis/)
that case KeyBoy didn’t change the default settings so the document meta-data provides some
obvious hints that the document is malicious:

## Delivered Malware

The [next stage in these attacks is typically a malware family known as TSSL. This malware](https://www.virustotal.com/#/file/fdb85d3f08eb70f0d2171d8bd348574139f63f31a788d2ff1b2a28aca6066345/details)
[originally identified by PwC and more recently described by Trend Micro and](https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) [CitizenLab.](https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/)

Most samples are built on the attackers machine from the location:

D:Work...

[Though the build path of a recent sample seems to indicate the attackers are having problems](https://www.virustotal.com/#/file/d910c9c20092051783764f4548f66ca6106259ee9a74545c8146b0475cfb80b7/detection)
bypassing Symantec antivirus, and is built from:

C:UsersCN_ideDesktopTSSL_v3.2.7_BypassSymantec_20180528TClientReleaseFakeRun.pdb

## Delivering Android Malware

We’ve also noted continued infections of the Titan Android malware associated with Keyboy,
[originally identified by LookOut. The source of the files that we have managed to identify is old - and](https://blog.lookout.com/titan-mobile-threat)
seems to date back to a user named Textplus0012 posting malicious APK files on a Taiwanese site
(apk.tw) for downloading Android applications:


-----

_The user textplus0012 on apk.tw_

This user stopped posting the malicious files in 2015. It is unclear where samples of Titan were
delivered from after this.

## Detection

**AlienVault Agent Detections**

The AlienVault Agent is a lightweight, adaptable endpoint agent based on osquery and maintained
by AlienVault.

The AlienVault Agent detects the following malicious activity during the attacks:

Suspicious Process Created by Microsoft Office Application
Powershell Process Created by Scripting Executable
Suspicious PowerShell Arguments
PowerShell process with suspicious arguments and network activity

**Network Detection**

ETPRO INFO DYNAMIC_DNS Query to a *.dynamic-dns.net Domain

## Appendix

[A concise set of indicators are included below, a fuller list is available in the OTX Pulse.](https://otx.alienvault.com/pulse/5bba47571421cb4ed8b6630b)

**File-Hashes**

91dfd19376574039bc80f3af5de341dd8927993ceb5dbb269c375c150a2c3e20


-----

831c3c40cc3fbc28b1ce1eca6bf278602c088f0580d6bdf324ef949c7d48a707

c6c3678d8e6f715eda700eec776f75d1b733cab9757813cff4e206581ed8349f

f83562853dc530a609ed866b375ac725599d7a927281e9d6f2e46f481e3eb292

Fdb85d3f08eb70f0d2171d8bd348574139f63f31a788d2ff1b2a28aca6066345

bf5ee65c6f9523923f6da2eead2a01698857d5fecae661a109b81409c18c0b6b

7bf4fd019411075a5d98cf966516af3ddb7b007c1b9146c264ce2e4a1572e5e8

**Domains from recent campaigns**

muonline.dns04[.]com

microword.itemdb[.]com

office.otzo[.]com

moffice.mrface[.]com

offlce.dnset[.]com

microsoftofice.zyns[.]com

online.ezua[.]com

[mutecider[.]com - See report by ClearSkySec](https://twitter.com/ClearskySec/status/1015362483752718337)

alibabacloud.zzux[.]com

alibabacloud.wikaba[.]com

alibabacloud.dynamic-dns[.]net

bookmarklies[.]com

manager-goog1e[.]com

hellomyanmar[.]info

**URLs**

http://moffice.mrface[.]com/office.sct

http://offlce.dnset[.]com/office.sct

**Yara Rules**


-----

```
rule keyboy_mobile_titan
{
  meta:
    author = "AlienVault Labs"
    copyright = "Alienvault Inc. 2018"
    license = "Apache License, Version 2.0"
    sha256 = "5acc64f814cc06db5e5cc56784607ddfa95e3e45170002a210c807857d48a1b0"
    strings:
       $string_1 = "titans.action.GLOBAL_ACTION"
       $string_2 = "titans.action.LOCATION_ACTION"
       $string_3 = "titans.action.PHONE_RECORD_ACTION"
    condition:
    all of them
}
rule keyboy_document_ppsx_sct
{
  meta:
    author = "AlienVault Labs"
    copyright = "Alienvault Inc. 2018"
    license = "Apache License, Version 2.0"
    description = "Matches on compressed sub-file"
    sha256 = "831c3c40cc3fbc28b1ce1eca6bf278602c088f0580d6bdf324ef949c7d48a707"
    strings:
       $string_1 = "script:http://"
       $string_2 = ".sct" TargetMode="External"/>"
    condition:
    any of them
}

```
[Additional Yara rules are available from Citizen Lab and](https://github.com/citizenlab/malware-indicators/blob/master/201611_KeyBoy/keyboy.yar) [Florian Roth.](https://github.com/Neo23x0/signature-base/blob/master/yara/apt_keyboys.yar)


-----

### Share this with others

Tags: [malware,](https://www.alienvault.com/blogs/tag/malware) [malware research,](https://www.alienvault.com/blogs/tag/malware+research) [malware delivery,](https://www.alienvault.com/blogs/tag/malware+delivery) [keyboy](https://www.alienvault.com/blogs/tag/keyboy)


-----