S0263 TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. 1
| Item | Value |
|---|---|
| ID | S0263 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | TYPEFRAME can uninstall malware components using a batch script.1 TYPEFRAME can execute commands using a shell.1 |
| enterprise | T1059.005 | Visual Basic | TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value “0x35”.1 |
| enterprise | T1083 | File and Directory Discovery | TYPEFRAME can search directories for files on the victim’s machine.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | TYPEFRAME can delete files off the system.1 |
| enterprise | T1105 | Ingress Tool Transfer | TYPEFRAME can upload and download files to the victim’s machine.1 |
| enterprise | T1112 | Modify Registry | TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.1 |
| enterprise | T1571 | Non-Standard Port | TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.1 |
| enterprise | T1027 | Obfuscated Files or Information | APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.1 |
| enterprise | T1027.011 | Fileless Storage | TYPEFRAME can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.1 |
| enterprise | T1090 | Proxy | A TYPEFRAME variant can force the compromised system to function as a proxy server.1 |
| enterprise | T1082 | System Information Discovery | TYPEFRAME can gather the disk volume information.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | A Word document delivering TYPEFRAME prompts the user to enable macro execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |