ECCENTRICBANDWAGON

ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.^[1]

ID: S0593

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 18 March 2021

Last Modified: 15 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.^[1]
Enterprise	T1113		屏幕捕获	ECCENTRICBANDWAGON can capture screenshots and store them locally.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	ECCENTRICBANDWAGON has stored keystrokes and screenshots within the `%temp%\GoogleChrome`, `%temp%\Downloads`, and `%temp%\TrendMicroUpdate` directories.^[1]
Enterprise	T1027		混淆文件或信息	ECCENTRICBANDWAGON has encrypted strings with RC4.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	ECCENTRICBANDWAGON can delete log files generated from the malware stored at `C:\windows\temp\tmp0207`.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	ECCENTRICBANDWAGON can capture and store keystrokes.^[1]

Groups That Use This Software

ID	Name	References
G0082	APT38	^[2]
G0032	Lazarus Group	^[1]

References

Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.

DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

ECCENTRICBANDWAGON

Enterprise Layer

Techniques Used

Groups That Use This Software

References