
From Lazarus''No Pineapple''
The North Korean hacker group Lazarus APT 38 ,has been active since 2009. They were a group of criminals with an indeterminate number of criminals. However, due to their intended nature, methods, and threats on the web, they were classified as an Advanced Persistent Threat. The cybersecurity community gathers these under other names such as Zinc and Hidden Cobra.
Indicators of Compromise
CVEs (70)
CVE-2022-41352 2022-12-01 12:10:54CVE-2021-34480 2022-12-08 19:37:11CVE-2020-1380 2022-11-30 17:17:25CVE-2017-0199 2022-12-08 19:37:11CVE-2022-41128 2022-12-08 19:37:11CVE-2022-0609 2022-12-20 02:07:22CVE-2021-44228 2022-03-15 21:56:56CVE-2017-16238 2021-03-31 20:38:32CVE-2021-4034 2023-02-03 17:14:25CVE-2021-44731 2022-12-05 21:17:26cve-2021-25325.md 2022-05-05 09:03:50CVE-2021-30657 2022-05-05 09:03:50CVE-2017-0199 2022-04-11 11:27:49CVE-2021-25323 2022-05-05 09:03:50CVE-2015-2051 2022-05-05 09:03:50CVE-2014-2962 2022-05-05 09:03:50CVE-2018-2025010 2020-08-13 17:30:05CVE-2021-33766 2022-09-16 14:01:33CVE-2022-27925 2022-12-05 11:11:19CVE-2014-9583 2022-05-05 09:03:50+50 moreEmails (16)
[email protected] 2022-08-27 01:14:10[email protected] 2021-07-08 00:48:56[email protected] 2021-03-31 20:38:32[email protected] 2021-03-31 20:38:32[email protected] 2021-04-01 13:40:50[email protected] 2022-12-29 06:38:58[email protected] 2021-07-08 00:48:56[email protected] 2022-09-16 14:01:33[email protected] 2022-12-29 06:38:58[email protected] 2022-03-15 21:56:56[email protected] 2022-09-16 14:01:33[email protected] 2022-09-16 14:01:33[email protected] 2021-03-31 20:38:32[email protected] 2021-04-01 13:40:50[email protected] 2021-04-01 13:40:50[email protected] 2021-07-08 00:48:56APT Groups
Lazarus Group
Korea, Democratic People's Republic of
Mitigation
<h2 class="pt-3" id="aliasDescription" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Associated Group Descriptions</h2><h2 class="pt-3" id="aliasDescription" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; padding-top: 1rem !important;"><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; letter-spacing: normal; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Description</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);">Labyrinth Chollima</td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);">HIDDEN COBRA</td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/alerts/TA17-164A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);">Guardians of Peace</td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/alerts/TA17-164A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);">ZINC</td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);">NICKEL ACADEMY</td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></p></td></tr></tbody></table><font color="#39434c"><span style="font-size: 28px; letter-spacing: normal;">Techniques Used</span></font></h2><h2 class="pt-3" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; padding-top: 1rem !important;"><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; letter-spacing: normal;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Domain</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1134</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Process with Token</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">CreateProcessAsUserA</code> under that user's context.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1087</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has queried an active directory server to obtain the list of accounts, including administrator accounts.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1098</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1583</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domains</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has acquired domains related to their campaigns to act as distribution points and C2 channels.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Server</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has acquired servers to host their malicious tools.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Services</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has hosted malicious downloads on Github and Dropbox.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1557" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1557</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1557/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1557" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Adversary-in-the-Middle</a>: <a href="https://attack.mitre.org/techniques/T1557/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LLMNR/NBT-NS Poisoning and SMB Relay</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> executed <a href="https://attack.mitre.org/software/S0174" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Responder</a> using the command <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">[Responder file path] -i [IP address] -rPv</code> on a compromised host to harvest credentials and move laterally.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1071</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has conducted C2 over HTTP and HTTPS.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span><span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1010</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Window Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1560</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. <span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Library</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.<span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Custom Method</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">A <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1547</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.009</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shortcut Modification</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1110</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Brute Force</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has performed brute force attacks against administrator accounts.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1110/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1110/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Spraying</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1059</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used PowerShell to execute commands and malicious code.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware uses cmd.exe to execute commands on a compromised host.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span> A Destover-like variant used by <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> uses a batch file mechanism to delete its binaries from the system.<span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used VBA and embedded macros in Word documents to execute malicious code.<span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1584</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domains</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has compromised legitimate domains, including those hosted in the US and Italy, for C2.<span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1584/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Server</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has compromised servers to stage malicious tools.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1543</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware families install themselves as new services.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1485</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used a custom secure delete function to overwrite file contents with data from heap memory.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1132</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">A <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware sample encodes data with base64.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has collected data and files from compromised networks.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1074</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1491" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1491</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1491/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1491" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Defacement</a>: <a href="https://attack.mitre.org/techniques/T1491/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Defacement</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a <a href="https://attack.mitre.org/techniques/T1561/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Structure Wipe</a>.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1140</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1587" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1587</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1587" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Develop Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1587/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malware</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has developed custom malware for use in their operations.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1561</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1561/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Content Wipe</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1561/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Structure Wipe</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1189" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1189</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1189" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Drive-by Compromise</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> delivered <a href="https://attack.mitre.org/software/S0241" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RATANKBA</a> and other malicious code to victims via a compromised legitimate website.<span id="scite-ref-27-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[27]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1573</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware sample XORs C2 traffic. Other <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware uses Caracachs encryption to encrypt C2 payloads. <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has also used AES to encrypt C2 traffic.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1585" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1585</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1585/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1585" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Establish Accounts</a>: <a href="https://attack.mitre.org/techniques/T1585/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Social Media Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1585/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1585" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Establish Accounts</a>: <a href="https://attack.mitre.org/techniques/T1585/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has created new email accounts for spearphishing operations.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1048</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1048/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1048" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Alternative Protocol</a>: <a href="https://attack.mitre.org/techniques/T1048/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Unencrypted Non-C2 Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1041</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has exfiltrated data and files over a C2 channel through its various tools and malware.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1567</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1567/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Web Service</a>: <a href="https://attack.mitre.org/techniques/T1567/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration to Cloud Storage</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has exfiltrated stolen data to Dropbox using a customized version of dbxcli.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1203</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Client Execution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.<span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[28]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1008</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fallback Channels</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1083</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has conducted word searches on compromised machines to identify specific documents of interest. <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1589</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1589/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Identity Information</a>: <a href="https://attack.mitre.org/techniques/T1589/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Addresses</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1591" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1591</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1591" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Org Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1591/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1591/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Identify Roles</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has targeted specific individuals within an organization with tailored job vacancy announcements.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1564</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1574</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has replaced <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">win_fw.dll</code>, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.<span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574/013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.013</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">KernelCallbackTable</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has abused the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">KernelCallbackTable</code> to hijack process control flow and execute shellcode.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1562</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span><span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span>.</p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Various <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware modifies the Windows firewall to allow incoming connections or disable it entirely using <a href="https://attack.mitre.org/software/S0108" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">netsh</a>. <span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1070</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has restored malicious <a href="https://attack.mitre.org/techniques/T1574/013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">KernelCallbackTable</a> code to its original state after the process execution flow has been hijacked.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clear Command History</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim. <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> also uses secure file deletion to delete files from the victim.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.006</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1202" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1202</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1202" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indirect Command Execution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> persistence mechanisms have used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">forfiles.exe</code> to execute .htm files.<span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1105</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has downloaded files, malware, and tools from its C2 onto a compromised host.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span><span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1056</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware KiloAlfa contains keylogging functionality.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1534" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1534</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1534" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Spearphishing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has conducted internal spearphishing from within a compromised organization.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1036</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has disguised malicious template files as JPEG files to avoid detection.<span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rename System Utilities</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has renamed system utilities such as <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">wscript.exe</code> and <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">mshta.exe</code>.<span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used a scheduled task named <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">SRCheck</code> to mask the execution of a malicious .dll.<span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.<span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1104" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1104</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1104" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-Stage Channels</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used multi-stage malware components that inject later stages into separate processes.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1106</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used the Windows API <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">ObtainUserAgentString</code> to obtain the User-Agent from a compromised host to connect to a C2 server.<span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span> <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has also used various, often lesser known, functions to perform various types of Discovery and <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1046</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Service Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1571</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Some <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1027</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a> function names.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used Themida to pack malicious DLLs and other files.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.007</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic API Resolution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used a custom hashing method to resolve APIs used in shellcode.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1588</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tool</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has obtained a variety of tools for their operations, including <a href="https://attack.mitre.org/software/S0174" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Responder</a>, PuTTy PSCP, Wake-On-Lan, ChromePass, and dbxcli.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing Certificates</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used code signing certificates issued by Sectigo RSA for some of its malware and tools.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Digital Certificates</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has obtained SSL certificates for their C2 domains.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1566</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has targeted victims with spearphishing emails containing malicious Microsoft Word documents.<span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[28]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has sent malicious links to victims via email.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing via Service</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1542" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1542</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1542/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1542" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pre-OS Boot</a>: <a href="https://attack.mitre.org/techniques/T1542/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bootkit</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1057</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> also gathers process times.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1055</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">A <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware sample performs reflective DLL injection.<span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1090</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">External Proxy</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used multiple proxies to obfuscate network traffic from victims.<span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1012</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware sample checks for the presence of the following Registry key:<code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt</code>.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1620</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via <a href="https://attack.mitre.org/techniques/T1574/013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">KernelCallbackTable</a> hijacking. <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1021</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Desktop Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SierraCharlie uses RDP for propagation.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware SierraAlfa accesses the <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">ADMIN$</code> share via SMB to conduct lateral movement.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SSH</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1053</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">schtasks</code> for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span><span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1593" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1593</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1593/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1593" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Search Open Websites/Domains</a>: <a href="https://attack.mitre.org/techniques/T1593/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Social Media</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used LinkedIn to identify and target specific employees within a chosen organization.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1489" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1489</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1489" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Stop</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1608" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1608</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1608/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1608" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Stage Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1608/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Upload Malware</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has hosted malicious files on compromised as well as <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a>-controlled servers.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1608/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1608" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Stage Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1608/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Upload Tool</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has hosted custom and open-source tools on compromised as well as <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a>-controlled servers.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1553</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has digitally signed malware and utilities to evade detection.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1218</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> lnk files used for persistence have abused the Windows Update Client (<code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">wuauclt.exe</code>) to execute a malicious DLL.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.005</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">mshta.exe</code> to execute HTML pages downloaded by initial access documents.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.010</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used rgsvr32 to execute custom malware.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.011</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used rundll32 to execute malicious payloads on a compromised host.<span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-21-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[21]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1082</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Several <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> also collects disk space information and sends it to its C2 server.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1614" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1614</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1614/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1614" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Location Discovery</a>: <a href="https://attack.mitre.org/techniques/T1614/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Language Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1016</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1049</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used <code style="box-sizing: border-box; font-family: courier, monospace; font-size: 14px; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">net use</code> to identify and establish a network connection with a remote host.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1033</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Various <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> malware enumerates logged-on users.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1529" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1529</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1529" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Shutdown/Reboot</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has rebooted systems after destroying files and wiping the MBR on infected systems.<span id="scite-ref-24-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[24]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1124</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">A Destover-like implant used by <a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> can obtain the current system time and send it to the C2 server.<span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1221" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1221</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1221" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Template Injection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used DOCX files to retrieve a malicious document template/DOTM file.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-18-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[18]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1204</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has sent spearphishing emails in an attempt to lure users to click on a malicious link.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.<span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[28]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1078</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used administrator credentials to gain access to restricted network segments.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1497</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1102</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.<span id="scite-ref-19-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[19]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1047</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-23-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[23]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-20-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[20]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1220" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1220</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1220" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">XSL Script Processing</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has used WMIC to execute a remote XSL script to establish persistence.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></p></td></tr><tr class="technique ics" id="ics" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">ICS</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T0865" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T0865</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T0865" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a> has been observed targeting organizations using spearphishing documents with embedded malicious payloads. <span id="scite-ref-31-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[31]</a></span></span> Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. <span id="scite-ref-32-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[32]</a></span></span></p></td></tr></tbody></table></h2><h2 class="pt-3" id="software" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Software</h2><h2 class="pt-3" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; padding-top: 1rem !important;"><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; letter-spacing: normal; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">References</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Techniques</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0584</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0584" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AppleJeus</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unix Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Launch Daemon</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Installer Packages</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Msiexec</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Launchctl</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0347" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0347</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0347" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">AuditCred</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-33-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[33]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0245" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0245</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0245" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BADCALL</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-34-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[34]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0239" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0239</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0239" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bankshot</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-28-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[28]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Process with Token</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Client Execution</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0520" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0520</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0520" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BLINDINGCAN</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-35-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[35]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>, <a href="https://attack.mitre.org/techniques/T1129" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shared Modules</a>, <a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0498" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0498</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0498" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cryptoistic</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0497</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dacls</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Launch Daemon</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Launch Agent</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0567</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dtrack</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-36-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[36]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>, <a href="https://attack.mitre.org/techniques/T1217" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Browser Bookmark Discovery</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Embedded Payloads</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1129" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shared Modules</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0593" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0593</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0593" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ECCENTRICBANDWAGON</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-37-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[37]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0181" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0181</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0181" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">FALLCHILL</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-30-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[30]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0246" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0246</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0246" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HARDRAIN</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-38-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[38]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0376" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0376</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0376" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HOPLIGHT</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fallback Channels</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0431" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0431</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0431" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">HotCroissant</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-39-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[39]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Window Discovery</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Window</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1489" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Stop</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0271" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0271</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0271" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">KEYMARBLE</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-40-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[40]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0108" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0108</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0108" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">netsh</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-22-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[22]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Netsh Helper DLL</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0238" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0238</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0238" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxysvc</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-25-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[25]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0241" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0241</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0241" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RATANKBA</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-41-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[41]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0364" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0364</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0364" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RawDisk</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a>, <a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Content Wipe</a>, <a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Structure Wipe</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0174" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0174</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0174" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Responder</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1557" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Adversary-in-the-Middle</a>: <a href="https://attack.mitre.org/techniques/T1557/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="https://attack.mitre.org/techniques/T1040" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Sniffing</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0103" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0103</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0103" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">route</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0586" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0586</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0586" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">TAINTEDSCRIBE</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-29-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[29]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Fallback Channels</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Binary Padding</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0665" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0665</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0665" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ThreatNeedle</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0678" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0678</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0678" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Torisma</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-26-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[26]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0263" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0263</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0263" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">TYPEFRAME</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-42-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[42]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify System Firewall</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1571" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Port</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0180" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0180</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0180" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Volgmer</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-43-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[43]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0366" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0366</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0366" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">WannaCry</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-44-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://content.fireeye.com/apt/rpt-apt38" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[44]</a></span></span><span id="scite-ref-45-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[45]</a></span></span><span id="scite-ref-46-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[46]</a></span></span><span id="scite-ref-47-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[47]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1486" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encrypted for Impact</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1210" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation of Remote Services</a>, <a href="https://attack.mitre.org/techniques/T0866" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation of Remote Services</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1222" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Permissions Modification</a>: <a href="https://attack.mitre.org/techniques/T1222/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows File and Directory Permissions Modification</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a>, <a href="https://attack.mitre.org/techniques/T1490" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Inhibit System Recovery</a>, <a href="https://attack.mitre.org/techniques/T1570" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lateral Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T0867" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lateral Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1120" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Peripheral Device Discovery</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multi-hop Proxy</a>, <a href="https://attack.mitre.org/techniques/T1563" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Service Session Hijacking</a>: <a href="https://attack.mitre.org/techniques/T1563/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RDP Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1489" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Stop</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr></tbody></table></h2>