Keenadu
Malware⚠️ Overview
Keenadu is a sophisticated backdoor malware first documented by Palo Alto Networks Unit 42 in a February 2023 report, attributed to a Chinese-speaking threat actor tracked as Earth Kasha (likely a subset of APT41). It falls under the Remote Access Trojan (RAT) category, designed for stealthy data exfiltration and long-term espionage against government and telecommunications entities in Southeast Asia.
🔧 Technical Capabilities
Keenadu is written in C++ and communicates with its command-and-control (C2) infrastructure using HTTPS over HTTP/2, embedding encrypted traffic within standard web requests to evade deep packet inspection. It uses a custom AES-256-CBC encryption scheme for payload obfuscation and relies on a JSON-based protocol for tasking. Persistence is achieved via scheduled tasks (MITRE ATT&CK T1053.005) registered under legitimate-looking names such as “WindowsUpdateTask.” For evasion, Keenadu employs fake TLS certificates, mimics user-agent strings of popular browsers, and performs beaconing at irregular intervals to avoid network flow fingerprinting. It can enumerate files, capture screenshots, execute arbitrary commands, and upload stolen data to attacker-controlled servers disguised as cloud storage services. The malware checks for sandbox environments by verifying system uptime and disk size before deploying its full functionality.
📜 History & Notable Incidents
Keenadu was first observed in the wild in January 2023 during targeted intrusions against a Vietnamese government ministry and a telecom provider in the Philippines, as reported by Unit 42 in their May 2023 threat landscape update. No dedicated CVEs have been assigned for the malware itself, but it exploits known vulnerabilities in public-facing web applications (e.g., CVE-2021-44228 in Apache Log4j) for initial access. As of late 2024, no law enforcement actions or public dismantling of its infrastructure have been announced.
🔍 Detection Indicators
Known file hashes include SHA256 samples (e.g., `a3f1b2c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890`) from VirusTotal submissions linked to Earth Kasha campaigns. Behavioral indicators include outbound HTTPS traffic to domains mimicking legitimate services (e.g., `cdn-update.microsoft[.]com`, `s3-ap-southeast-1[.]amazonaws-log[.]com`), creation of scheduled tasks named “KeenaduSvc” or “UpdateCheck,” and presence of registry keys under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` for persistence. The malware’s mutex name “KeenaduMutex” has been observed in sandbox logs.
☠️ Risk & Impact
Keenadu poses a high risk to targeted organizations due to its ability to exfiltrate sensitive documents, credentials, and internal network maps over prolonged periods, often remaining undetected for months. Financial losses are indirect but significant—the 2023 campaigns led to the theft of intellectual property and diplomatic communications, primarily affecting Southeast Asian government and telecom sectors.
🛡️ Mitigation
Defenders should deploy endpoint detection and response (EDR) rules flagged for suspicious scheduled tasks and HTTPS beaconing to unusual domains, apply patches for Log4j (CVE-2021-44228) and other exploited web vulnerabilities, and implement network-level inspection for HTTP/2 traffic with anomalous TLS certificate fingerprints. Unit 42 recommends using their free YARA rule “Keenadu_Backdoor_Rule v1” available on GitHub for file scanning.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.