1. Home
  2. Software
  3. BADCALL

BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [1]

ID: S0245
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

BADCALL functions as a proxy server between the victim and C2 server.[1]
Enterprise T1112 修改注册表

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

BADCALL encrypts C2 traffic using an XOR/ADD cipher.[1]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

BADCALL disables the Windows firewall before binding to a port.[1]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

BADCALL uses a FakeTLS method during C2.[2]
Enterprise T1082 系统信息发现

BADCALL collects the computer name and host name on the compromised system.[1]
Enterprise T1016 系统网络配置发现

BADCALL collects the network adapter information.[1]
Enterprise T1571 非标准端口

BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  1. US-CERT. (2018, February 6). Malware Analysis Report 10135536-G. Retrieved August 15, 2024.