A hacker group known as KeyBoy, believed to be operating out of China, has resurfaced with a new campaign, targeting various organisations in Western nations. The advanced persistent (APT) group has been active since 2013, previously targeting organisations in South East Asia. KeyBoy hackers' new corporate espionage campaign makes use of specialised malware and phishing emails to spy on and steal from targets.
The hacker group's last known activity involved targeting the Tibetan parliament between August and October 2016. However, the KeyBoy hackers now appear to be back with a fresh campaign, shifting focus from targeting Asian organisations to Western entities.
According to security experts at PwC, who uncovered the hacker group's latest attacks, KeyBoy is making use of a spy malware, which comes with significant intrusive capabilities. The malware is capable of taking screenshots, has keylogging features and can browse and download the victims' files. In addition to this, the malware can also harvest extensive information about the targets' computers and even shut down infected systems.
The hackers lure victims into unknowingly allowing them to infect systems by sending out phishing links. However, the hackers use the DDE (Dynamic Data Exchange) protocol, instead of delivering malicious macros or an exploit. The attack involves victims being prompted to update the malicious Word document delivered by the phishing email. Once the victim clicks on the update alert, a malware dropper is served up and the malware eventually installed into the targets' PC.
According to PwC researchers, the KeyBoy hackers' new payload incorporates new techniques that involve replacing legitimate Windows binaries with a copy of their malware. The KeyBoy's malware disables Windows File Protection, which in turn helps the hackers carry out their malicious activities under the radar.
It is still unclear what kind of organisations KeyBoy hackers are targeting. It also remains uncertain whether the hacker group is a state-backed outfit or if the hackers are part of an organised cybercrime unit. Researchers say that the hackers have a "medium level of technical and operational know-how". Although the hacker group has previously targeted organisations in Tibet, Taiwan and Philippines, the hackers' current shift of focus in targeting Western entities may indicate a possible expansion of operations.