Pen testing
C2
KeyPlug is a modular backdoor malware from APT41 (Grayfly) that targets Windows and Linux systems. It gives attackers full control over compromised devices. KeyPlug has been used in espionage since at least June 2021.
KeyPlug is delivered through spear-phishing emails with malicious attachments or links. These emails often use current events or appear to be from a trusted source to trick the victim. When the attachment is opened or the link is clicked the malware is installed and a foothold is established in the system.
Technical Capabilities
When executed KeyPlug gives attackers remote access to the system. It supports multiple communication protocols including HTTP, WebSocket (WSS), TCP, and KCP over UDP to communicate with its command-and-control (C2) servers. The malware uses encryption and obfuscation to evade detection and analysis like TLS-encrypted WebSocket communications and encoding its configuration files.
Evolution and Adaptation
Over time KeyPlug has evolved to include both Windows and Linux versions, and APT41 is expanding its attack surface. The malware is modular so new features can be added, allowing attackers to adapt to their targets and objectives.
KeyPlug is seen in both Windows and Linux versions, each for their respective OS. The Linux version is called KEYPLUG.LINUX and shares the same core functionality as the Windows version but is adapted for the Linux environment.
Use advanced email filtering to detect and block spear-phishing.
Keep systems up to date and patched.
Deploy endpoint detection and response.
Train users on phishing and social engineering.
APT41 has used KeyPlug in campaigns against government agencies, telcos and tech companies. Italy is one of the affected countries, so it’s a broad scope of targeting.
KeyPlug is attributed to APT41, also known as Grayfly, a China-based APT group. APT41 is known for their cyber espionage activities and has been involved in multiple high profile attacks globally.
