Threat Research

Keyhole Analysis

Securonix

Keyhole is a multi-functional VNC/Backconnect component used extensively by IcedID/Anubis, expanding beyond typical backconnect tools. It loads a decoded core module, retrieves system information, hijacks browser profiles, injects into explorer.exe, and supports diverse C2 and data exfiltration behaviors. Hashtags: #Keyhole #IcedID #Anubis #VNC #Backconnect

Keypoints

  • Keyhole is a multi-functional VNC/Backconnect component used by IcedID/Anubis.
  • The loader decodes and loads a core module from an encoded blob, using a 256-byte key/swapping scheme.
  • The core module configures C2 communications (including a C2 address and port 8080).
  • Core capabilities include system information collection, VNC/HDESK/backconnect, browser profile hijacking, and registry/command-line manipulation.
  • Browser manipulation includes copying user data, editing profiles, and launching browsers with special command-line flags.
  • Keyhole can inject into explorer.exe and manipulate browser launch via NtCreateUserProcess and other techniques.
  • It enumerates networks (servers/shares), uses LDAP queries, and can retrieve files from infected systems (up to ~33 MB).

MITRE Techniques

  • [T1021.005] VNC – Remote Services – Keyhole operates as a VNC/Backconnect component to control hosts. “Keyhole is a multi-functional VNC/Backconnect component used extensively by IcedID/Anubis.”
  • [T1059.001] PowerShell – Command-Line / Scripting – The actor uses console commands via PowerShell. “Console command detonation via cmd.exe or powershell”
  • [T1059.003] Windows Command Shell – Command-Line – The same console command execution context via cmd.exe. “Console command detonation via cmd.exe or powershell”
  • [T1055] Process Injection – Multiple methods of injecting explorer.exe. “Multiple methods of injecting explorer.exe”
  • [T1082] System Information Discovery – Collect system information. “Collect system information”
  • [T1046] Network Service Scanning – Enumerating servers and shares in network. “Enumerating servers and shares in network”
  • [T1018] Remote System Discovery – LDAP queries and directory enumeration. “LDAP queries”
  • [T1041] Exfiltration Over C2 Channel – C2 communications configuration and usage. “the values that will be used for C2 communications”
  • [T1125] Video Capture – Taking pictures with webcam. “Taking pictures with webcam”
  • [T1123] Audio Capture – Turning on microphone in registry for apps. “Turning on microphone in registry for apps”
  • [T1112] Modify Registry – Registry manipulation to facilitate browser and app changes. “registry manipulation”
  • [T1555.003] Credentials in Web Browsers – Hijacking browser profiles. “Hijacking browser profiles”

Indicators of Compromise

  • [IPv4] – 91.238.50.101 – C2 address referenced within the decoded config values
  • [Port] – 8080 – C2 port indicated in the config/values
  • [File hash] – 74aa61cc1157529fb98b757fb879616ffc2b54e4d4ff08c9b9d5b6dcec868c2a – Sample hash mentioned in IOCS
  • [File name] – explorer.exe – Recurrent reference in core/module strings and browser manipulation context

Read more: https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03