Cisco Blogs

Scope of ‘KeyBoy’ Targeted Malware Attacks

June 13, 2013 - 3 Comments

On June 6, 2013, released an analysis of Microsoft Office-based malware that was exploiting a previously unknown vulnerability that was patched by MS12-060. The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists. On June 7, 2013, Rapid7 released an analysis of malware dubbed ‘KeyBoy,’ also exploiting unknown vulnerabilities in Microsoft Office, similarly patched by MS12-060, but allegedly targeting interests in Vietnam and India. The indicators of compromise (IoCs) listed by Rapid7 match some of the indicators of compromise listed previously by

IoCs published by

IoCs published by

IoCs published by Rapid7.

IoCs published by Rapid7.

As we have seen in some previous targeted malware attacks, the attackers in this incident are taking advantage of services like to establish free subdomains in their infrastructure. While TRAC is sure that many subdomains used at have no malicious purpose, there is no denying the fact that attackers mounting targeted attacks are also attracted to these ‘free’ services. Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar. Not many professional organizations have valid reasons to allow traffic to domains offered by, so blacklisting these domains is an option.

One of the second-level domains listed as an IoC is Subdomains at have been linked to malicious activity dating back as far as December 2011. Based on the patterns of subdomain registration over time in DNS, TRAC believes this is an example where the attackers registered their own second-level domain. The WHOIS data, including the address, postal code and telephone number, is obviously forged.

Fake WHOIS record data for

Fake WHOIS record data for

An eclectic group of subdomains has been used at, including the following:

While watching some of these domains using passive DNS a peculiar pattern emerges. For a long period of time, many of the DNS responses for a hostname will return, but every so often, presumably when a likely target is on-the-hook, the domain name servers return a routable IP. Perhaps this is a tactic designed to evade or postpone eventual detection and assist in staying below the radar. Note in the following graphic the DNS server replied 717 times with; however during that same time, the real routable IPs were also offered to certain requesters.

Passive DNS from for a subdomain at

Another IoC second-level domain from this group ( exhibits exactly the same WHOIS and passive DNS patterns:

Passive DNS from for a subdomain at

TRAC recommends analyzing DNS traffic for these IoCs on your own networks. In this case, maintaining the latest patches would also have thwarted the attacks, and is always an excellent idea. Additionally, blacklisting the domains offered by using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) are additional options that can help add an extra level of security.

Thanks to Craig Williams and Emmanuel Tacheau for their assistance in co-writing this blog post.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Got it Jaeson.

    For those registered domain,

    It seems to me like they are using short window periods to update their A records and then reverting back to a for their nefarious delivery system. Basically making it impossible to find these hosts unless one where sensing DNS infrastructure used by the victim/target.

    Good work and thanks for the explanation!

  2. Hello Jaeson,

    I like the analysis and the value of pDNS – however something still puzzles me in your analysis.

    Looking at . If the malware originators were using for roaming IP address, what is shown in screenshot seems more like time based sensing gap. does not provide you location/based or source based answers. It looks like it is most likely the gaps in sensing time based (2011-10-22 to 2012-0307 blanket time that did not captured the shorter time period in which was actually providing answers for those 3 valid routable IP addresses).

    You have more context with the name servers during that time and various other factors which I am missing. Your response will surely be enlightening.


    • Hi Vijay,

      Thanks for your question. Please allow me to clarify. The IoCs from these attacks included domains from both and domains we believe the attackers registered themselves.

      In this particular case the domain names,, and are all domains available for free third-level subdomain registration by They are listed as IoCs in the analysis by Rapid7. A full list of the second-level domains available at can be found here:

      The and domains were different because these domains were both registered back in 2009 using similar fraudulent WHOIS registration data. We believe the attackers registered and controlled these domains themselves, and this makes the patterns we see in the passive DNS data both relevant and interesting. The pattern of the DNS server returning much of the time and only returning routable IPs for small durations was consistent with other subdomains we investigated as well.

      Hope this helps,