JUST RELEASED: ATT&CK for Industrial Control Systems


AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]

ID: S0347
Associated Software: Roptimizer
Platforms: Windows
Version: 1.0
Created: 30 January 2019
Last Modified: 30 January 2019

Associated Software Descriptions

Name Description
Roptimizer [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

AuditCred can open a reverse shell on the system to execute commands.[1]

Enterprise T1043 Commonly Used Port

AuditCred has used Port Number 443 for C2 communications.[1]

Enterprise T1090 Connection Proxy

AuditCred can utilize proxy for communications.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

AuditCred uses XOR and RC4 to perform decryption on the code functions.[1]

Enterprise T1083 File and Directory Discovery

AuditCred can search through folders and files on the system.[1]

Enterprise T1107 File Deletion

AuditCred can delete files from the system.[1]

Enterprise T1050 New Service

AuditCred is installed as a new service on the system.[1]

Enterprise T1027 Obfuscated Files or Information

AuditCred encrypts the configuration.[1]

Enterprise T1055 Process Injection

AuditCred can inject code from files to other running processes.[1]

Enterprise T1105 Remote File Copy

AuditCred can download files and additional malware.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]