ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.^[1]

ID: S0593

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 18 March 2021

Last Modified: 15 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	ECCENTRICBANDWAGON can use cmd to execute commands on a victim’s machine.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	ECCENTRICBANDWAGON has stored keystrokes and screenshots within the `%temp%\GoogleChrome`, `%temp%\Downloads`, and `%temp%\TrendMicroUpdate` directories.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	ECCENTRICBANDWAGON can delete log files generated from the malware stored at `C:\windows\temp\tmp0207`.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	ECCENTRICBANDWAGON can capture and store keystrokes.^[1]
Enterprise	T1027		Obfuscated Files or Information	ECCENTRICBANDWAGON has encrypted strings with RC4.^[1]
Enterprise	T1113		Screen Capture	ECCENTRICBANDWAGON can capture screenshots and store them locally.^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[1]
G0082	APT38	^[2]

References

Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.

DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

ECCENTRICBANDWAGON

Enterprise Layer

Techniques Used

Groups That Use This Software

References