AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.^[1]

ID: S0347

ⓘ

Associated Software: Roptimizer

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 30 January 2019

Last Modified: 11 April 2024

Associated Software Descriptions

Name	Description
Roptimizer	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1090		代理	AuditCred can utilize proxy for communications.^[1]
Enterprise	T1543	.003	创建或修改系统进程: Windows Service	AuditCred is installed as a new service on the system.^[1]
Enterprise	T1140		反混淆/解码文件或信息	AuditCred uses XOR and RC4 to perform decryption on the code functions.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	AuditCred can open a reverse shell on the system to execute commands.^[1]
Enterprise	T1083		文件和目录发现	AuditCred can search through folders and files on the system.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	AuditCred encrypts the configuration.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	AuditCred can delete files from the system.^[1]
Enterprise	T1105		输入工具传输	AuditCred can download files and additional malware.^[1]
Enterprise	T1055		进程注入	AuditCred can inject code from files to other running processes.^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[1]

References

Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.