Killua Backdoor

The Killua Backdoor is a threatening implant that was used in a large-scale cyberattack against Kuwait-based organizations and businesses, which spanned for several months in 2019. The malware was used in combination with other threatening implants like the Hisoka Malware, the EYE Malware, and xHunt frequently. According to malware experts, the Killua Backdoor shares many resemblances with the Hisoka malware in terms of functionality, but it appears to be a slightly newer project. One of the primary differences between the two implants is the use of C# for the development of Hisoka, while the Killua Backdoor was coded using Visual C++.

The Killua Backdoor Contacts C2 via DNS Tunneling

As mentioned in our post on the Hisoka Malware, the latest '0.9' version of the threat has the ability to use DNS tunneling to communicate with the Command-and-Control server. The same feature is found in the Killua Backdoor, but with one major difference – this backdoor Trojan does not have a backup option to contact the control server. The use of DNS tunneling is not a new thing for malware, but it is used rarely due to some limitations regarding the types and amount of data that can be transferred.

Another quirk of the Killua Backdoor is its habit of using the Windows Registry to store its configuration, including the unique identifier and address of the control server. Just like the Gon Malware, the Killua Backdoor also supports the '-help' command, which can be used to display a list of commands available to the operator.

The xHunt campaign is one of the largest cyberattacks against Kuwait-based entities, and its operators have taken the needed time to develop a flexible toolset to be used during their attacks clearly. The Killua Backdoor, for example, was paired with the EYE Malware frequently, which serves the purpose of tracking system changes and covering up the activities of the attackers.