Register to stream ATT&CKcon 2.0 October 29-30


Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]

ID: S0238
Platforms: Windows
Contributors: Edward Millington
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection Proxysvc automatically collects data about the victim and sends it to the control server. [1]
Enterprise T1059 Command-Line Interface Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1". [1]
Enterprise T1043 Commonly Used Port Proxysvc uses port 443 for the control server communications. [1]
Enterprise T1485 Data Destruction Proxysvc can overwrite files indicated by the attacker before deleting them. [1]
Enterprise T1005 Data from Local System Proxysvc searches the local system and gathers data. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel Proxysvc performs data exfiltration over the control server channel using a custom protocol. [1]
Enterprise T1083 File and Directory Discovery Proxysvc lists files in directories. [1]
Enterprise T1107 File Deletion Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file. [1]
Enterprise T1057 Process Discovery Proxysvc lists processes running on the system. [1]
Enterprise T1012 Query Registry Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString. [1]
Enterprise T1064 Scripting Proxysvc uses a batch file to delete itself. [1]
Enterprise T1035 Service Execution Proxysvc registers itself as a service on the victim’s machine to run as a standalone process. [1]
Enterprise T1071 Standard Application Layer Protocol Proxysvc uses HTTP over SSL to communicate commands with the control server. [1]
Enterprise T1082 System Information Discovery Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system. [1]
Enterprise T1016 System Network Configuration Discovery Proxysvc collects the network adapter information and domain/username information based on current remote sessions. [1]
Enterprise T1124 System Time Discovery As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]