1. Home
  2. Software
  3. KGH_SPY

KGH_SPY

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[1]

ID: S0526
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 06 November 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

KGH_SPY can collect credentials from WINSCP.[1]
.003 Credentials from Web Browsers

KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.[1]
.004 Windows Credential Manager

KGH_SPY can collect credentials from the Windows Credential Manager.[1]
Enterprise T1005 从本地系统获取数据

KGH_SPY can send a file containing victim system information to C2.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

KGH_SPY has masqueraded as a legitimate Windows tool.[1]
Enterprise T1140 反混淆/解码文件或信息

KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[1]
Enterprise T1037 .001 启动或登录初始化脚本: Logon Script (Windows)

KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

KGH_SPY can execute PowerShell commands on the victim's machine.[1]
.003 命令与脚本解释器: Windows Command Shell

KGH_SPY has the ability to set a Registry key to run a cmd.exe command.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

KGH_SPY can send data to C2 with HTTP POST requests.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

KGH_SPY can save collected system information to a file named "info" before exfiltration.[1]
Enterprise T1083 文件和目录发现

KGH_SPY can enumerate files and directories on a compromised host.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

KGH_SPY has used encrypted strings in its installer.[1]
Enterprise T1204 .002 用户执行: Malicious File

KGH_SPY has been spread through Word documents containing malicious macros.[1]
Enterprise T1114 .001 电子邮件收集: Local Email Collection

KGH_SPY can harvest data from mail clients.[1]
Enterprise T1082 系统信息发现

KGH_SPY can collect drive information from a compromised host.[1]
Enterprise T1518 软件发现

KGH_SPY can collect information on installed applications.[1]
Enterprise T1105 输入工具传输

KGH_SPY has the ability to download and execute code from remote servers.[1]
Enterprise T1056 .001 输入捕获: Keylogging

KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.[1]
Enterprise T1041 通过C2信道渗出

KGH_SPY can exfiltrate collected information from the host to the C2 server.[1]

Groups That Use This Software

ID Name References
G0094 Kimsuky

[1]

References

  1. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.