Skip to content

S0431 HotCroissant

HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.1 HotCroissant shares numerous code similarities with Rifdoor.2

Item Value
ID S0431
Associated Names
Type MALWARE
Version 1.0
Created 01 May 2020
Last Modified 06 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1010 Application Window Discovery HotCroissant has the ability to list the names of all open windows on the infected host.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography HotCroissant has compressed network communications and encrypted them with a custom stream cipher.21
enterprise T1041 Exfiltration Over C2 Channel HotCroissant has the ability to download files from the infected host to the command and control (C2) server.2
enterprise T1083 File and Directory Discovery HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.2
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window HotCroissant has the ability to hide the window for operations performed on a given file.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.2
enterprise T1105 Ingress Tool Transfer HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.2
enterprise T1106 Native API HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.1
enterprise T1027 Obfuscated Files or Information HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.2
enterprise T1027.002 Software Packing HotCroissant has used the open source UPX executable packer.2
enterprise T1057 Process Discovery HotCroissant has the ability to list running processes on the infected host.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence.2
enterprise T1113 Screen Capture HotCroissant has the ability to do real time screen viewing on an infected host.2
enterprise T1489 Service Stop HotCroissant has the ability to stop services on the infected host.2
enterprise T1518 Software Discovery HotCroissant can retrieve a list of applications from the SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key.2
enterprise T1082 System Information Discovery HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.1
enterprise T1016 System Network Configuration Discovery HotCroissant has the ability to identify the IP address of the compromised machine.1
enterprise T1033 System Owner/User Discovery HotCroissant has the ability to collect the username on the infected host.2
enterprise T1007 System Service Discovery HotCroissant has the ability to retrieve a list of services on the infected host.2

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1

References

  1. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. 

  2. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.