Threat Research

China-nexus Kivars Backdoor Uploaded from Taiwan

DmpDump

On February 22, 2025, MalwareHunterTeam reported a malicious DLL uploaded from Taiwan that facilitates a backdoor known as Kivars. This backdoor employs a custom RC4 encryption algorithm and connects to a command and control server. The DLL decrypts and loads the backdoor payload which is capable of various malicious activities, including file manipulation and registry modifications. Affected: DLLs, Malware, Cybersecurity, Command and Control Servers

Keypoints :

  • MalwareHunterTeam shared the detection of a malicious DLL uploaded from Taiwan.
  • The DLL has a hash value of 1286aa5c73cf2c8058c52271869a5727d71ca5bd4dd0854be970d2a25cb52bf8.
  • The backdoor is named Kivars and is attributed to a China-nexus threat actor.
  • A custom RC4 algorithm is used for decryption processes in the malware.
  • The backdoor is capable of connecting to a command and control server at IP address 212.115.54[.]194.
  • Malicious activities include renaming files, creating directories, and executing processes.
  • The backdoor checks for certain security processes to evade detection.
  • The timestamp on the loader DLL indicates it is an old sample from December 25, 2019.
  • Potential registry modifications include encrypted configurations in HKLM registry.
  • The malware was uploaded to VirusTotal on the same day it was identified as malicious.

MITRE Techniques :

  • TA0001 – Initial Access: The malware utilizes a malicious DLL uploaded to the system.
  • TA0040 – Command and Control: Establishes a connection to a command and control server (212.115.54[.]194).
  • TA0002 – Execution: Executes the decrypted payload using LoadLibrary and GetProcAddress.
  • TA0003 – Persistence: Employs mutex (uni-web-4e9621f) to maintain its presence.
  • TA0005 – Data Manipulation: Renames files, deletes files, and performs various file operations.

Indicator of Compromise :

  • [Hash] 1286aa5c73cf2c8058c52271869a5727d71ca5bd4dd0854be970d2a25cb52bf8
  • [Hash] a0d1e9f6bf6b60c61a381575b319e9e219240200875f434f95320ba139c87be8
  • [Hash] ed0ecc33b01672523cc17b887fcd79210d5658e7a7e70dc0d9cd213762899f76
  • [Mutex] uni-web-4e9621f
  • [IP Address] 212.115.54[.]194

Full Story: https://dmpdump.github.io/posts/Kivars/