1. Home
  2. Software
  3. TAINTEDSCRIBE

TAINTEDSCRIBE

TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]

ID: S0586
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 05 March 2021
Last Modified: 26 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

TAINTEDSCRIBE can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

TAINTEDSCRIBE can enable Windows CLI access and execute files.[1]
Enterprise T1008 回退信道

TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.[1]
Enterprise T1560 归档收集数据

TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.[1]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

TAINTEDSCRIBE has used FakeTLS for session authentication.[1]
Enterprise T1083 文件和目录发现

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.[1]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.[1]
Enterprise T1070 .004 移除指标: File Deletion

TAINTEDSCRIBE can delete files from a compromised host.[1]
.006 移除指标: Timestomp

TAINTEDSCRIBE can change the timestamp of specified filenames.[1]
Enterprise T1082 系统信息发现

TAINTEDSCRIBE can use DriveList to retrieve drive information.[1]
Enterprise T1124 系统时间发现

TAINTEDSCRIBE can execute GetLocalTime for time discovery.[1]
Enterprise T1105 输入工具传输

TAINTEDSCRIBE can download additional modules from its C2 server.[1]
Enterprise T1057 进程发现

TAINTEDSCRIBE can execute ProcessList for process discovery.[1]
Enterprise T1018 远程系统发现

The TAINTEDSCRIBE command and execution module can perform target system enumeration.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.