The KeyBoys are back in town

02 November 2017

In our work as Threat Intelligence Analysts at PwC we spend a lot of time focused on researching targeted attacks and advanced persistent threat (APT) actors, to provide our clients with valuable intelligence. We have recently uncovered a new campaign, by a threat actor which hasn’t been observed to be very active for almost a year, and which employs some rather interesting techniques.

Advanced persistent threat actors have been around for years, and since reports of them have emerged more frequently in news outlets, their numbers have only increased, whether they’re nation-state backed groups or those with a specific motivation or intent, such as, for example, FIN7, which is a financially-motivated group.

In today’s blog post, we will be analysing the latest campaign by an attack group called KeyBoy. There have only been a few reports (Cisco, Rapid7) written about KeyBoy before, with the last known public report written by CitizenLab in November 2016. KeyBoy is believed by the industry to be a hacking group based in or operating from China, and is mainly engaged in espionage activity. In the past it has targeted organisations and individuals in Taiwan, Tibet, and the Philippines, but in its latest campaign, KeyBoy appears to have expanded its targeting, as it now appears to be going after mostly Western organisations, likely for corporate espionage purposes.

The malware that KeyBoy uses in its activity has a range of different capabilities once it has infected a device, including, but not limited to:

  • Taking screenshots;
  • Browsing and downloading files;
  • Gathering extended system information, e.g. on the operating system, disks, memory;
  • Being able to shutdown and reboot victim machines.

Discover more about KeyBoy in our report published here, which provides broader information about this particular threat actor and their latest campaign techniques, such as replacing legitimate Windows binaries with a copy of the malware. There are also more details of the persistence mechanism, as well as indicators, which you can use to search for any signs of intrusion into your systems.

PwC Threat Intelligence subscribers can refer to CTO-TIB-20171019-01A - KeyBoy's new toys published in October 2017 for further details and the wider context to this activity. Any additional queries or requests can also be made to: threatintelligence@uk.pwc.com  and we will be happy to assist.

The full analysis and indicators of compromise can be found here.

 

Bart Parys

Bart Parys | Threat Intelligence Analyst
Profile | Email

 

More articles by Bart Parys

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.