TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]

ID: S0263
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 23 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TYPEFRAME can uninstall malware components using a batch script.[1] TYPEFRAME can execute commands using a shell.[1]

.005 Command and Scripting Interpreter: Visual Basic

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[1]

Enterprise T1083 File and Directory Discovery

TYPEFRAME can search directories for files on the victim’s machine.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

TYPEFRAME can delete files off the system.[1]

Enterprise T1105 Ingress Tool Transfer

TYPEFRAME can upload and download files to the victim’s machine.[1]

Enterprise T1112 Modify Registry

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[1]

Enterprise T1571 Non-Standard Port

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[1]

Enterprise T1027 Obfuscated Files or Information

APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[1]

Enterprise T1090 Proxy

A TYPEFRAME variant can force the compromised system to function as a proxy server.[1]

Enterprise T1082 System Information Discovery

TYPEFRAME can gather the disk volume information.[1]

Enterprise T1204 .002 User Execution: Malicious File

A Word document delivering TYPEFRAME prompts the user to enable macro execution.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group