S0245 BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group. 1
| Item | Value |
|---|---|
| ID | S0245 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol Impersonation | BADCALL uses a FakeTLS method during C2.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | BADCALL encrypts C2 traffic using an XOR/ADD cipher.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | BADCALL disables the Windows firewall before binding to a port.1 |
| enterprise | T1112 | Modify Registry | BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List.1 |
| enterprise | T1571 | Non-Standard Port | BADCALL communicates on ports 443 and 8000 with a FakeTLS method.1 |
| enterprise | T1090 | Proxy | BADCALL functions as a proxy server between the victim and C2 server.1 |
| enterprise | T1082 | System Information Discovery | BADCALL collects the computer name and host name on the compromised system.1 |
| enterprise | T1016 | System Network Configuration Discovery | BADCALL collects the network adapter information.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |