Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]

ID: S0238
Contributors: Edward Millington

Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1119Automated CollectionProxysvc automatically collects data about the victim and sends it to the control server.[1]
EnterpriseT1059Command-Line InterfaceProxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1".[1]
EnterpriseT1043Commonly Used PortProxysvc uses port 443 for the control server communications.[1]
EnterpriseT1485Data DestructionProxysvc can overwrite files indicated by the attacker before deleting them.[1]
EnterpriseT1005Data from Local SystemProxysvc searches the local system and gathers data.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelProxysvc performs data exfiltration over the control server channel using a custom protocol.[1]
EnterpriseT1083File and Directory DiscoveryProxysvc lists files in directories.[1]
EnterpriseT1107File DeletionProxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.[1]
EnterpriseT1057Process DiscoveryProxysvc lists processes running on the system.[1]
EnterpriseT1012Query RegistryProxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString.[1]
EnterpriseT1064ScriptingProxysvc uses a batch file to delete itself.[1]
EnterpriseT1035Service ExecutionProxysvc registers itself as a service on the victim’s machine to run as a standalone process.[1]
EnterpriseT1071Standard Application Layer ProtocolProxysvc uses HTTP over SSL to communicate commands with the control server.[1]
EnterpriseT1082System Information DiscoveryProxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[1]
EnterpriseT1016System Network Configuration DiscoveryProxysvc collects the network adapter information and domain/username information based on current remote sessions.[1]
EnterpriseT1124System Time DiscoveryAs part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[1]


Groups that use this software:

Lazarus Group