ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool QueenOfHearts

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: QueenOfHearts

NamesQueenOfHearts
CategoryMalware
TypeBackdoor, Info stealer
Description(Kaspersky) While it does not contain the anti-analysis countermeasures of its cousin, the rest of its features and overall design decisions map to KingOfHearts almost one to one. QueenOfHearts seems to have appeared somewhere in 2017. It is the family designated as PowerPool by our esteemed colleagues from ESET.

QueenOfHearts also interacts with its C2 server over HTTP. It sends simple GET requests containing a backdoor identifier and optional victim machine information, then reads orders located in the cookie header of the reply. Orders come in the form of two-letter codes (e.g.: “xe” to list drives) which tend to vary between samples. As of today, this family is still in active development, and we have observed code refactoring as well as incremental upgrades over 2020. For instance, earlier backdoor responses were sent as base64-encoded payloads in POST requests. They are now compressed beforehand, and additionally supplied through the cookie header.
Information<https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/>

Last change to this tool card: 19 October 2020

Download this tool card in JSON format

All groups using tool QueenOfHearts

ChangedNameCountryObserved

APT groups

 IAmTheKingRussia2018 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]