Tinexta Cyber’s Yoroi team uncovered the KeyPlug modular backdoor used by APT41, detailing both Windows and Linux variants and its resilient, multi-protocol C2 capabilities, including WSS over Cloudflare CDN. The article also ties KeyPlug to broader APT41 activity and the ISOON leak, outlining its sophisticated in-memory execution, config decryption, and privilege-escalation techniques.
Keypoints
- APT41 (aka many aliases) is a Chinese-origin threat group conducting complex espionage and cybercrime campaigns targeting government, manufacturing, tech, media, education, and gaming sectors.
- Yoroi’s analysis identifies KEYPLUG as a modular backdoor active since at least June 2021 with both Windows and Linux variants.
- KEYPLUG supports multiple C2 protocols, including HTTP, TCP, KCP over UDP, and WebSocket Secure (WSS), often leveraging Cloudflare CDN to reach its C2.
- Windows KEYPLUG decrypts a pfm.ico payload via AES with hard-coded keys, then loads shellcode into memory using VirtualAlloc/VirtualProtect for execution.
- The malware uses a custom API-hashing scheme to dynamically resolve APIs, decrypts its configuration (XOR key 0x59), and stores the final payload in memory before execution.
- It performs system reconnaissance via WMIC to obtain OS/version info and installed security products, then communicates its findings to C2 using WSS, potentially via Cloudflare CDN proxies.
- Linux KEYPLUG appears more complex (VMProtect) and uses the same WSS/C2 approach with infrastructure referenced to mirrors.directtimber/buzz; a broader ISOON leak discussion suggests possible links to APT41.
MITRE Techniques
- [T1047] Windows Management Instrumentation – Reconnaissance using WMIC to retrieve host information. Quote: “…through WMIC (Windows Management Instrumentation) call.”
- [T1082] System Information Discovery – Gather OS version and security software presence during reconnaissance. Quote: “…operating system version and installed anti-malware products…”
- [T1055] Process Injection – In-memory execution of shellcode after memory allocation and protection changes. Quote: “…allocates memory to store a shellcode directly in memory… using the VirtualAlloc API call. … modifies the memory protections to make it executable using the VirtualProtect API call.”
- [T1134] Access Token Manipulation – Privilege escalation by enabling SeDebugPrivilege. Quote: “The malware proceeds to enable the SeDebugPrivilege token.”
- [T1071.001] Web Protocols – C2 over WebSocket Secure (WSS) and other web protocols. Quote: “…communicates with the C2 through the abuse of CloudFlare’s Content Delivery Network (CDN) and via the WSS (WebSocket Secure) protocol.”
- [T1090] Proxy – Use of external proxies/CDN (Cloudflare) to reach the C2. Quote: “…abusing CloudFlare’s Content Delivery Network (CDN)…”
Indicators of Compromise
- [Hash] KeyPlug Windows sample – 87756cb5e33f7fb7c2229eb094f1208dbd510c9716b4428bfaf2dc84745b1542, 1408a28599ab76b7b50d5df1ed857b4365e3e4eb1a180f126efe4b8a5a597bc6 (KeyPlug Windows Sample)
- [File] Decrypted pfm.ico path – C:ProgramDatapfm.ico
- [Domain] chrome.down-flash.]com
- [Domain] corsapi.devlopsform.]com
- [IP] 45.204.1.248:55589
- [IP] 67.43.234.]146:443