Chinese APT Group KeyBoy Targeting Western Organizations

PwC researchers recently observed a reemergence of malicious activity attributed to KeyBoy, a Chinese Advanced Persistent Threat (APT) group. KeyBoy previously targeted organizations in Southeast Asia, including members of the Tibetan parliament, as reported by CitizenLab in November 2016. However, a new malware campaign linked to the group was detected via files uploaded to VirusTotal with analysts noting that the files appeared to originate from western organizations, suggesting a possible shift in targets. KeyBoy’s new campaign uses spear-phishing emails containing malicious documents designed to exploit the Dynamic Data Exchange (DDE) protocol touted as a feature in Microsoft Word. If the document is opened and permitted to retrieve data from the linked external source, a payload in the form of a DLL file will be downloaded to the user’s system using PowerShell, moved to the user’s temp folder, and executed. This file, named InstallClient.dll, acts as a dropper and, after performing a series of system checks, downloads the final payload, a DLL file masquerading as the legitimate system file, rasauto.dll. The final payload can perform the following actions on an infected system: take screenshots, determine the public WAN IP address, gather system information, perform a shutdown or reboot of the system, launch interactive shells for communication, download and upload data, and hide C2 traffic using custom SSL libraries. Researchers believe that the purpose of this campaign is to conduct corporate espionage. The NJCCIC recommends users and administrators review the PwC report and scan for the associated Indicators of Compromise (IoCs) provided in Appendix A to determine whether malicious activity attributed to KeyBoy has been observed within their networks. To reduce the risks associated with APTs and other cyber threats, organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege across all user accounts, and establish strong identity and access management controls, including multi-factor authentication.