AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]

ID: S0347
Associated Software: Roptimizer

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Roptimizer[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceAuditCred can open a reverse shell on the system to execute commands.[1]
EnterpriseT1043Commonly Used PortAuditCred has used Port Number 443 for C2 communications.[1]
EnterpriseT1090Connection ProxyAuditCred can utilize proxy for communications.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationAuditCred uses XOR and RC4 to perform decryption on the code functions.[1]
EnterpriseT1083File and Directory DiscoveryAuditCred can search through folders and files on the system.[1]
EnterpriseT1107File DeletionAuditCred can delete files from the system.[1]
EnterpriseT1050New ServiceAuditCred is installed as a new service on the system.[1]
EnterpriseT1027Obfuscated Files or InformationAuditCred encrypts the configuration.[1]
EnterpriseT1055Process InjectionAuditCred can inject code from files to other running processes.[1]
EnterpriseT1105Remote File CopyAuditCred can download files and additional malware.[1]

Groups

Groups that use this software:

Lazarus Group

References