ATT&CK v16 has been released! Check out the blog post for more information.

TYPEFRAME

TYPEFRAME is a remote access tool that has been used by Lazarus Group. ^[1]

ID: S0263

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.3

Created: 17 October 2018

Last Modified: 10 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	TYPEFRAME can uninstall malware components using a batch script.^[1] TYPEFRAME can execute commands using a shell.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".^[1]
Enterprise	T1083		File and Directory Discovery	TYPEFRAME can search directories for files on the victim’s machine.^[1]
Enterprise	T1562	.004	Impair Defenses: Disable or Modify System Firewall	TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	TYPEFRAME can delete files off the system.^[1]
Enterprise	T1105		Ingress Tool Transfer	TYPEFRAME can upload and download files to the victim’s machine.^[1]
Enterprise	T1112		Modify Registry	TYPEFRAME can install encrypted configuration data under the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs`.^[1]
Enterprise	T1571		Non-Standard Port	TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.^[1]
Enterprise	T1027	.011	Obfuscated Files or Information: Fileless Storage	TYPEFRAME can install and store encrypted configuration data under the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs`.^[1]
		.013	Obfuscated Files or Information: Encrypted/Encoded File	APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.^[1]
Enterprise	T1090		Proxy	A TYPEFRAME variant can force the compromised system to function as a proxy server.^[1]
Enterprise	T1082		System Information Discovery	TYPEFRAME can gather the disk volume information.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	A Word document delivering TYPEFRAME prompts the user to enable macro execution.^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[1]

References

US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.