AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]

ID: S0347
Associated Software: Roptimizer
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

AuditCred can open a reverse shell on the system to execute commands.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

AuditCred is installed as a new service on the system.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

AuditCred uses XOR and RC4 to perform decryption on the code functions.[1]

Enterprise T1083 File and Directory Discovery

AuditCred can search through folders and files on the system.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

AuditCred can delete files from the system.[1]

Enterprise T1105 Ingress Tool Transfer

AuditCred can download files and additional malware.[1]

Enterprise T1027 Obfuscated Files or Information

AuditCred encrypts the configuration.[1]

Enterprise T1055 Process Injection

AuditCred can inject code from files to other running processes.[1]

Enterprise T1090 Proxy

AuditCred can utilize proxy for communications.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group