Killua Backdoor

Killua Backdoor Description

Killua is a backdoor threat deployed by threat actors in a campaign against Kuwait organizations from the transportation and shipping industry. The threat is part of a custom-built toolkit with different threats being given names of characters from the popular manga and anime series 'Hunter x Hunter' - Sakabota, Hisoka, Gon, Killua and Netero.

Functionally, the Killua Backdoor represents an updated and modified version of the Hisoka backdoor. Unlike Hisoka, though, it was written in Visual C++ and not C#. Once inside the targeted computer, Killua injects its configuration to the system's Registry through the following Registry keys:

  • HKCU\Control Panel\International\_ID: <unique identifier>
  • HKCU\Control Panel\International\_EndPoint: “learn-service[.]com”
  • HKCU\Control Panel\International\_Resolver_Server: ” “
  • HKCU\Control Panel\International\_Response: “180”
  • HKCU\Control Panel\International\_Step: “3”

The main goal of the threat is to establish communications with the Command-and-Control infrastructure of the hackers. To do so, Killua can only use DNS tunneling queries made by using its built-in 'nslookup' tool. The communication channel is initiated by Killua sending a beacon query that contains a unique ID as the subdomain representing the specific compromised system. The transferred data is first encrypted with XOR and then encoded with base64.

Killua looks for specific commands before it can initiate any additional functionality. The commands it recognizes are –R, -doer, -S, -status, -change, -id, -resolver, -help.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.