1. Home
  2. Software
  3. Proxysvc

Proxysvc

Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]

ID: S0238
Type: MALWARE
Platforms: Windows
Contributors: Edward Millington
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Proxysvc searches the local system and gathers data.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1".[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Proxysvc uses HTTP over SSL to communicate commands with the control server.[1]
Enterprise T1485 数据销毁

Proxysvc can overwrite files indicated by the attacker before deleting them.[1]
Enterprise T1083 文件和目录发现

Proxysvc lists files in directories.[1]
Enterprise T1012 查询注册表

Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString.[1]
Enterprise T1070 .004 移除指标: File Deletion

Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.[1]
Enterprise T1082 系统信息发现

Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[1]
Enterprise T1124 系统时间发现

As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[1]
Enterprise T1569 .002 系统服务: Service Execution

Proxysvc registers itself as a service on the victim’s machine to run as a standalone process.[1]
Enterprise T1016 系统网络配置发现

Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[1]
Enterprise T1119 自动化收集

Proxysvc automatically collects data about the victim and sends it to the control server.[1]
Enterprise T1057 进程发现

Proxysvc lists processes running on the system.[1]
Enterprise T1041 通过C2信道渗出

Proxysvc performs data exfiltration over the control server channel using a custom protocol.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.