S0678 Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.1
| Item | Value |
|---|---|
| ID | S0678 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 01 February 2022 |
| Last Modified | 21 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Torisma can use HTTP and HTTPS for C2 communications.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Torisma has encoded C2 communications with Base64.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Torisma has used XOR and Base64 to decode C2 data.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Torisma has encrypted its C2 communications using XOR and VEST-32.1 |
| enterprise | T1480 | Execution Guardrails | Torisma is only delivered to a compromised host if the victim’s IP address is on an allow-list.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Torisma can send victim data to an actor-controlled C2 server.1 |
| enterprise | T1106 | Native API | Torisma has used various Windows API calls.1 |
| enterprise | T1027 | Obfuscated Files or Information | Torisma has been Base64 encoded and AES encrypted.1 |
| enterprise | T1027.002 | Software Packing | Torisma has been packed with Iz4 compression.1 |
| enterprise | T1082 | System Information Discovery | Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.1 |
| enterprise | T1016 | System Network Configuration Discovery | Torisma can collect the local MAC address using GetAdaptersInfo as well as the system’s IP address.1 |
| enterprise | T1049 | System Network Connections Discovery | Torisma can use WTSEnumerateSessionsW to monitor remote desktop connections.1 |
| enterprise | T1124 | System Time Discovery | Torisma can collect the current time on a victim machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 4213 |
References
-
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩