Killua Backdoor

By GoldSparrow in Backdoors

Translate To:

Killua is a backdoor threat deployed by threat actors in a campaign against Kuwait organizations from the transportation and shipping industry. The threat is part of a custom-built toolkit with different threats being given names of characters from the popular manga and anime series 'Hunter x Hunter' - Sakabota, Hisoka, Gon, Killua and Netero.

Functionally, the Killua Backdoor represents an updated and modified version of the Hisoka backdoor. Unlike Hisoka, though, it was written in Visual C++ and not C#. Once inside the targeted computer, Killua injects its configuration to the system's Registry through the following Registry keys:

HKCU\Control Panel\International\_ID: <unique identifier>
HKCU\Control Panel\International\_EndPoint: "learn-service[.]com"
HKCU\Control Panel\International\_Resolver_Server: " "
HKCU\Control Panel\International\_Response: "180"
HKCU\Control Panel\International\_Step: "3"

The main goal of the threat is to establish communications with the Command-and-Control infrastructure of the hackers. To do so, Killua can only use DNS tunneling queries made by using its built-in 'nslookup' tool. The communication channel is initiated by Killua sending a beacon query that contains a unique ID as the subdomain representing the specific compromised system. The transferred data is first encrypted with XOR and then encoded with base64.

Killua looks for specific commands before it can initiate any additional functionality. The commands it recognizes are –R, -doer, -S, -status, -change, -id, -resolver, -help.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Killua Backdoor

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen