TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]

ID: S0263
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceTYPEFRAME can execute commands using a shell.[1]
EnterpriseT1043Commonly Used PortTYPEFRAME variants can use ports 443, 8443, and 8080 for communications.[1]
EnterpriseT1090Connection ProxyA TYPEFRAME variant can force the compromised system to function as a proxy server.[1]
EnterpriseT1094Custom Command and Control ProtocolA TYPEFRAME variant uses fake TLS to communicate with the C2 server.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationOne TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[1]
EnterpriseT1089Disabling Security ToolsTYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[1]
EnterpriseT1083File and Directory DiscoveryTYPEFRAME can search directories for files on the victim’s machine.[1]
EnterpriseT1107File DeletionTYPEFRAME can delete files off the system.[1]
EnterpriseT1031Modify Existing ServiceTYPEFRAME can delete services from the victim’s machine.[1]
EnterpriseT1112Modify RegistryTYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[1]
EnterpriseT1050New ServiceTYPEFRAME variants can add malicious DLL modules as new services.[1]
EnterpriseT1027Obfuscated Files or InformationAPIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[1]
EnterpriseT1105Remote File CopyTYPEFRAME can upload and download files to the victim’s machine.[1]
EnterpriseT1064ScriptingTYPEFRAME can uninstall malware components using a batch script. Additionally, a malicious Word document used for delivery uses VBA macros for execution.[1]
EnterpriseT1082System Information DiscoveryTYPEFRAME can gather the disk volume information.[1]
EnterpriseT1065Uncommonly Used PortA TYPEFRAME variant can use port 127 for communications.[1]
EnterpriseT1204User ExecutionA Word document delivering TYPEFRAME prompts the user to enable macro execution.[1]


Groups that use this software:

Lazarus Group