SYMBOLCOMMON_NAMEaka. SYNONYMS
win.secondhandtea (Back to overview)

SecondHandTea

Actor(s): Lazarus Group

SecondHandTea is a full-featured Remote Access Trojan (RAT), closely related to BackbitingTea, the flagship backdoor used in the DangerousPassword campaigns (also known as SnatchCrypto).

Both malware families appear to share a common codebase and are compiled within the same build environment.

While they share most core functionality and supported commands, SecondHandTea differs from BackbitingTea variants in several technical aspects:

- Configuration file paths
- Network libraries: OpenSSL 1.1.0f vs. wolfSSL or Winsock TCP/IP
- Encryption algorithms: AES-256 vs. RC4
- Compression methods: LZ4 vs. ZIP

These differences suggest active development and customization efforts tailored to specific operational needs.

The malware's name was inferred from its internal filename: SecondT_x64.exe.

Between H2 2022 and Q1 2023, SecondHandTea was observed in targeted attacks against entities involved in cryptotrading and blockchain technology, indicating a continued focus on financially motivated cyber operations.

References
2023-01-31WeLiveSecurityESET Research
ESET APT Activity Report T 3 2022
SecondHandTea MirrorFace

There is no Yara-Signature yet.