Skip to content

S0678 Torisma

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.1

Item Value
ID S0678
Associated Names
Version 1.1
Created 01 February 2022
Last Modified 21 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Torisma can use HTTP and HTTPS for C2 communications.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Torisma has encoded C2 communications with Base64.1
enterprise T1140 Deobfuscate/Decode Files or Information Torisma has used XOR and Base64 to decode C2 data.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Torisma has encrypted its C2 communications using XOR and VEST-32.1
enterprise T1480 Execution Guardrails Torisma is only delivered to a compromised host if the victim’s IP address is on an allow-list.1
enterprise T1041 Exfiltration Over C2 Channel Torisma can send victim data to an actor-controlled C2 server.1
enterprise T1106 Native API Torisma has used various Windows API calls.1
enterprise T1027 Obfuscated Files or Information Torisma has been Base64 encoded and AES encrypted.1
enterprise T1027.002 Software Packing Torisma has been packed with Iz4 compression.1
enterprise T1082 System Information Discovery Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.1
enterprise T1016 System Network Configuration Discovery Torisma can collect the local MAC address using GetAdaptersInfo as well as the system’s IP address.1
enterprise T1049 System Network Connections Discovery Torisma can use WTSEnumerateSessionsW to monitor remote desktop connections.1
enterprise T1124 System Time Discovery Torisma can collect the current time on a victim machine.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 4213