S0694 DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.1
| Item | Value |
|---|---|
| ID | S0694 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 24 March 2022 |
| Last Modified | 17 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | DRATzarus can use HTTP or HTTPS for C2 communications.1 |
| enterprise | T1005 | Data from Local System | DRATzarus can collect information from a compromised host.1 |
| enterprise | T1622 | Debugger Evasion | DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.1 |
| enterprise | T1105 | Ingress Tool Transfer | DRATzarus can deploy additional tools onto an infected machine.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.1 |
| enterprise | T1106 | Native API | DRATzarus can use various API calls to see if it is running in a sandbox.1 |
| enterprise | T1027 | Obfuscated Files or Information | DRATzarus can be partly encrypted with XOR.1 |
| enterprise | T1027.002 | Software Packing | DRATzarus‘s dropper can be packed with UPX.1 |
| enterprise | T1057 | Process Discovery | DRATzarus can enumerate and examine running processes to determine if a debugger is present.1 |
| enterprise | T1018 | Remote System Discovery | DRATzarus can search for other machines connected to compromised host and attempt to map the network.1 |
| enterprise | T1033 | System Owner/User Discovery | DRATzarus can obtain a list of users from an infected machine.1 |
| enterprise | T1124 | System Time Discovery | DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to inspect system time.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to measure function timing.1 DRATzarus can also remotely shut down into sleep mode under specific conditions to evade |
| detection.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1423 |
References
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩