ECCENTRIC BANDWAGON, DPRK

September 4, 2020

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for:
ECCENTRIC BANDWAGON, DPRK.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. North Korea, is officially named the Democratic People’s Republic of Korea (DPRK) as a country in East Asia constituting the northern part of the Korean Peninsula. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.

ECCENTRIC BANDWAGON, one of the new Remote Access Trojans (RAT) was created by HIDDEN COBRA.

The details behind the use of these remote tools are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.

All ECCENTRIC BANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files for screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, while others include basic clean-up functionality that will attempt to remove log files once ECCENTRIC BANDWAGON has finished executing.

Sample, Static Information:

Dynamic Information:

Key-logging Artifacts:

Clipboard Capture:

Directory Removal and Clean-up:

Strings Set 01:

Strings Set 02:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: EccentricBandwagon.N (Trojan)

Appendix:

Sample SHA256 Hash: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec