TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | Archive Collected Data |
TAINTEDSCRIBE has used |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
TAINTEDSCRIBE can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
TAINTEDSCRIBE can enable Windows CLI access and execute files.[1] |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
TAINTEDSCRIBE has used FakeTLS for session authentication.[1] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.[1] |
Enterprise | T1008 | Fallback Channels |
TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
TAINTEDSCRIBE can use |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
TAINTEDSCRIBE can delete files from a compromised host.[1] |
.006 | Indicator Removal: Timestomp |
TAINTEDSCRIBE can change the timestamp of specified filenames.[1] |
||
Enterprise | T1105 | Ingress Tool Transfer |
TAINTEDSCRIBE can download additional modules from its C2 server.[1] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[1] |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
TAINTEDSCRIBE can execute |
Enterprise | T1057 | Process Discovery |
TAINTEDSCRIBE can execute |
|
Enterprise | T1018 | Remote System Discovery |
The TAINTEDSCRIBE command and execution module can perform target system enumeration.[1] |
|
Enterprise | T1082 | System Information Discovery |
TAINTEDSCRIBE can use |
|
Enterprise | T1124 | System Time Discovery |
TAINTEDSCRIBE can execute |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |