BADCALL is a Trojan malware variant used by the group Lazarus Group. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation | |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
BADCALL disables the Windows firewall before binding to a port.[1] |
Enterprise | T1112 | Modify Registry |
BADCALL modifies the firewall Registry key |
|
Enterprise | T1571 | Non-Standard Port |
BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[1] |
|
Enterprise | T1090 | Proxy |
BADCALL functions as a proxy server between the victim and C2 server.[1] |
|
Enterprise | T1082 | System Information Discovery |
BADCALL collects the computer name and host name on the compromised system.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |