1. Home
  2. Software
  3. TYPEFRAME

TYPEFRAME

TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]

ID: S0263
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 17 October 2018
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

A TYPEFRAME variant can force the compromised system to function as a proxy server.[1]
Enterprise T1112 修改注册表

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.[1]
Enterprise T1140 反混淆/解码文件或信息

One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

TYPEFRAME can uninstall malware components using a batch script.[1] TYPEFRAME can execute commands using a shell.[1]
.005 命令与脚本解释器: Visual Basic

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.[1]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[1]
Enterprise T1083 文件和目录发现

TYPEFRAME can search directories for files on the victim’s machine.[1]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

TYPEFRAME can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.[1]
.013 混淆文件或信息: Encrypted/Encoded File

APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[1]
Enterprise T1204 .002 用户执行: Malicious File

A Word document delivering TYPEFRAME prompts the user to enable macro execution.[1]
Enterprise T1070 .004 移除指标: File Deletion

TYPEFRAME can delete files off the system.[1]
Enterprise T1082 系统信息发现

TYPEFRAME can gather the disk volume information.[1]
Enterprise T1105 输入工具传输

TYPEFRAME can upload and download files to the victim’s machine.[1]
Enterprise T1571 非标准端口

TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.