Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]
ID: S0238
Aliases: Proxysvc
Type: MALWARE
Contributors: Edward Millington
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
Proxysvc | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1119 | Automated Collection | Proxysvc automatically collects data about the victim and sends it to the control server.[1] |
Enterprise | T1059 | Command-Line Interface | Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " .[1] |
Enterprise | T1043 | Commonly Used Port | Proxysvc uses port 443 for the control server communications.[1] |
Enterprise | T1005 | Data from Local System | Proxysvc searches the local system and gathers data.[1] |
Enterprise | T1041 | Exfiltration Over Command and Control Channel | Proxysvc performs data exfiltration over the control server channel using a custom protocol.[1] |
Enterprise | T1083 | File and Directory Discovery | Proxysvc lists files in directories.[1] |
Enterprise | T1107 | File Deletion | Proxysvc can wipe files indicated by the attacker and remove itself from disk using a batch file.[1] |
Enterprise | T1057 | Process Discovery | Proxysvc lists processes running on the system.[1] |
Enterprise | T1012 | Query Registry | Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString .[1] |
Enterprise | T1064 | Scripting | Proxysvc uses a batch file to delete itself.[1] |
Enterprise | T1035 | Service Execution | Proxysvc registers itself as a service on the victim’s machine to run as a standalone process.[1] |
Enterprise | T1071 | Standard Application Layer Protocol | Proxysvc uses HTTP over SSL to communicate commands with the control server.[1] |
Enterprise | T1082 | System Information Discovery | Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[1] |
Enterprise | T1016 | System Network Configuration Discovery | Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[1] |
Enterprise | T1124 | System Time Discovery | As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[1] |
Groups
Groups that use this software:
Lazarus Group