S0347 AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.1
| Item | Value |
|---|---|
| ID | S0347 |
| Associated Names | Roptimizer |
| Type | MALWARE |
| Version | 1.1 |
| Created | 30 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Roptimizer | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | AuditCred can open a reverse shell on the system to execute commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | AuditCred is installed as a new service on the system.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | AuditCred uses XOR and RC4 to perform decryption on the code functions.1 |
| enterprise | T1083 | File and Directory Discovery | AuditCred can search through folders and files on the system.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | AuditCred can delete files from the system.1 |
| enterprise | T1105 | Ingress Tool Transfer | AuditCred can download files and additional malware.1 |
| enterprise | T1027 | Obfuscated Files or Information | AuditCred encrypts the configuration.1 |
| enterprise | T1055 | Process Injection | AuditCred can inject code from files to other running processes.1 |
| enterprise | T1090 | Proxy | AuditCred can utilize proxy for communications.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |