1. Home
  2. Software
  3. Torisma

Torisma

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]

ID: S0678
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 01 February 2022
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Torisma has encrypted its C2 communications using XOR and VEST-32.[1]
Enterprise T1140 反混淆/解码文件或信息

Torisma has used XOR and Base64 to decode C2 data.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Torisma can use HTTP and HTTPS for C2 communications.[1]
Enterprise T1480 执行保护

Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Torisma has encoded C2 communications with Base64.[1]
Enterprise T1106 本机API

Torisma has used various Windows API calls.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Torisma has been packed with Iz4 compression.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Torisma has been Base64 encoded and AES encrypted.[1]
Enterprise T1082 系统信息发现

Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.[1]
Enterprise T1124 系统时间发现

Torisma can collect the current time on a victim machine.[1]
Enterprise T1049 系统网络连接发现

Torisma can use WTSEnumerateSessionsW to monitor remote desktop connections.[1]
Enterprise T1016 系统网络配置发现

Torisma can collect the local MAC address using GetAdaptersInfo as well as the system's IP address.[1]
Enterprise T1041 通过C2信道渗出

Torisma can send victim data to an actor-controlled C2 server.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[2][3][1][4]

Campaigns

ID Name Description
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.[3][1]

References

  1. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  2. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  1. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  2. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.