Malware: Kevin

Description

[Kevin](https://attack.mitre.org/software/S1020) is a backdoor implant written in C++ that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)

External References

• mitre-attack
• Kaspersky Lyceum October 2021

Techniques Used by This Malware

• T1001.001 — Junk Data
• T1005 — Data from Local System
• T1008 — Fallback Channels
• T1016 — System Network Configuration Discovery
• T1027.013 — Encrypted/Encoded File
• T1030 — Data Transfer Size Limits
• T1036.003 — Rename Legitimate Utilities
• T1041 — Exfiltration Over C2 Channel
• T1059.003 — Windows Command Shell
• T1070.004 — File Deletion
• T1071.001 — Web Protocols
• T1071.004 — DNS
• T1074 — Data Staged
• T1082 — System Information Discovery
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1132.001 — Standard Encoding
• T1497 — Virtualization/Sandbox Evasion
• T1546.003 — Windows Management Instrumentation Event Subscription
• T1564.003 — Hidden Window
• T1572 — Protocol Tunneling

APT Groups Using This Malware

• HEXANE