Torisma

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]

ID: S0678
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 01 February 2022
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Torisma can use HTTP and HTTPS for C2 communications.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Torisma has encoded C2 communications with Base64.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Torisma has used XOR and Base64 to decode C2 data.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Torisma has encrypted its C2 communications using XOR and VEST-32.[1]

Enterprise T1480 Execution Guardrails

Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Torisma can send victim data to an actor-controlled C2 server.[1]

Enterprise T1106 Native API

Torisma has used various Windows API calls.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Torisma has been packed with Iz4 compression.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Torisma has been Base64 encoded and AES encrypted.[1]

Enterprise T1082 System Information Discovery

Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.[1]

Enterprise T1016 System Network Configuration Discovery

Torisma can collect the local MAC address using GetAdaptersInfo as well as the system's IP address.[1]

Enterprise T1049 System Network Connections Discovery

Torisma can use WTSEnumerateSessionsW to monitor remote desktop connections.[1]

Enterprise T1124 System Time Discovery

Torisma can collect the current time on a victim machine.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[2][3][1][4]

Campaigns

ID Name Description
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.[3][1]

References