Killua Backdoor Description
Killua is a backdoor threat deployed by threat actors in a campaign against Kuwait organizations from the transportation and shipping industry. The threat is part of a custom-built toolkit with different threats being given names of characters from the popular manga and anime series 'Hunter x Hunter' - Sakabota, Hisoka, Gon, Killua and Netero.
Functionally, the Killua Backdoor represents an updated and modified version of the Hisoka backdoor. Unlike Hisoka, though, it was written in Visual C++ and not C#. Once inside the targeted computer, Killua injects its configuration to the system's Registry through the following Registry keys:
- HKCU\Control Panel\International\_ID: <unique identifier>
- HKCU\Control Panel\International\_EndPoint: “learn-service[.]com”
- HKCU\Control Panel\International\_Resolver_Server: ” “
- HKCU\Control Panel\International\_Response: “180”
- HKCU\Control Panel\International\_Step: “3”
The main goal of the threat is to establish communications with the Command-and-Control infrastructure of the hackers. To do so, Killua can only use DNS tunneling queries made by using its built-in 'nslookup' tool. The communication channel is initiated by Killua sending a beacon query that contains a unique ID as the subdomain representing the specific compromised system. The transferred data is first encrypted with XOR and then encoded with base64.
Killua looks for specific commands before it can initiate any additional functionality. The commands it recognizes are –R, -doer, -S, -status, -change, -id, -resolver, -help.