S0593 ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool–with keylogging and screen capture functionality–used for information gathering on compromised systems.1
| Item | Value |
|---|---|
| ID | S0593 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 March 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | ECCENTRICBANDWAGON can capture and store keystrokes.1 |
| enterprise | T1027 | Obfuscated Files or Information | ECCENTRICBANDWAGON has encrypted strings with RC4.1 |
| enterprise | T1113 | Screen Capture | ECCENTRICBANDWAGON can capture screenshots and store them locally.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0082 | APT38 | 2 |
| G0032 | Lazarus Group | 1 |