1. Home
  2. Software
  3. HotCroissant

HotCroissant

HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[1] HotCroissant shares numerous code similarities with Rifdoor.[2]

ID: S0431
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 01 May 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

HotCroissant has compressed network communications and encrypted them with a custom stream cipher.[2][1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.[2]
Enterprise T1113 屏幕捕获

HotCroissant has the ability to do real time screen viewing on an infected host.[2]
Enterprise T1010 应用窗口发现

HotCroissant has the ability to list the names of all open windows on the infected host.[2]
Enterprise T1083 文件和目录发现

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.[2]
Enterprise T1489 服务停止

HotCroissant has the ability to stop services on the infected host.[2]
Enterprise T1106 本机API

HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

HotCroissant has used the open source UPX executable packer.[2]
.013 混淆文件或信息: Encrypted/Encoded File

HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.[2]
Enterprise T1070 .004 移除指标: File Deletion

HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.[2]
Enterprise T1082 系统信息发现

HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.[1]
Enterprise T1033 系统所有者/用户发现

HotCroissant has the ability to collect the username on the infected host.[2]
Enterprise T1007 系统服务发现

HotCroissant has the ability to retrieve a list of services on the infected host.[2]
Enterprise T1016 系统网络配置发现

HotCroissant has the ability to identify the IP address of the compromised machine.[1]
Enterprise T1518 软件发现

HotCroissant can retrieve a list of applications from the SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key.[2]
Enterprise T1105 输入工具传输

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[2]
Enterprise T1057 进程发现

HotCroissant has the ability to list running processes on the infected host.[2]
Enterprise T1041 通过C2信道渗出

HotCroissant has the ability to download files from the infected host to the command and control (C2) server.[2]
Enterprise T1564 .003 隐藏伪装: Hidden Window

HotCroissant has the ability to hide the window for operations performed on a given file.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

HotCroissant has attempted to install a scheduled task named "Java Maintenance64" on startup to establish persistence.[2]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  1. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.