SYMBOLCOMMON_NAMEaka. SYNONYMS
win.typeframe (Back to overview)

TYPEFRAME

Actor(s): Lazarus Group

TYPEFRAME is a RAT.

It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system's firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.

The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication.

References
2019-03-14CISACISA
MAR-10135536-12 – North Korean Trojan: TYPEFRAME
miniTypeFrame TYPEFRAME

There is no Yara-Signature yet.