ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[1]

ID: S0593
Platforms: Windows
Version: 1.0
Created: 18 March 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:\windows\temp\tmp0207.[1]

Enterprise T1056 .001 Input Capture: Keylogging

ECCENTRICBANDWAGON can capture and store keystrokes.[1]

Enterprise T1027 Obfuscated Files or Information

ECCENTRICBANDWAGON has encrypted strings with RC4.[1]

Enterprise T1113 Screen Capture

ECCENTRICBANDWAGON can capture screenshots and store them locally.[1]

Groups That Use This Software

ID Name References
G0082 APT38


G0032 Lazarus Group