Skip to content

S0347 AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.1

Item Value
ID S0347
Associated Names Roptimizer
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Roptimizer 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell AuditCred can open a reverse shell on the system to execute commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service AuditCred is installed as a new service on the system.1
enterprise T1140 Deobfuscate/Decode Files or Information AuditCred uses XOR and RC4 to perform decryption on the code functions.1
enterprise T1083 File and Directory Discovery AuditCred can search through folders and files on the system.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion AuditCred can delete files from the system.1
enterprise T1105 Ingress Tool Transfer AuditCred can download files and additional malware.1
enterprise T1027 Obfuscated Files or Information AuditCred encrypts the configuration.1
enterprise T1055 Process Injection AuditCred can inject code from files to other running processes.1
enterprise T1090 Proxy AuditCred can utilize proxy for communications.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1