(Novetta) A large portion of the Lazarus Group’s RAT collection stems from a common core, Romeo-CoreOne (R-C1); the individual families that use R-C1 need only provide the scaffolding to support the R-C1 code. At a minimum, each family that is built upon R-C1 must provide an interface to their specific communications abstraction and a method by which to activate the R-C1 functionality. The general flow of execution for families that use R-C1 is as follows: 1. Dynamically load API functions 2. Perform any configuration management tasks that the family may require (e.g., loading the configuration, opening listening ports, establishing persistence) 3. Establish a communication channel with controlling endpoint 4. Pass off the channel to the R-C1 component There are five known families that are based on, or that incorporate, R-C1 (Figure 2-1): {{RomeoAlfa}}, {{RomeoBravo}}, {{RomeoCharlie}}, {{RomeoHotel}}, and {{RomeoNovember}}. In addition to the four families having commonality through the use of R-C1, two of the families, {{RomeoAlfa}} and {{RomeoHotel}}, share the distinctive fake TLS communication scheme and use the Caracachs encryption scheme as their underlying communication encryption. {{RomeoBravo}}, {{RomeoCharlie}}, and {{RomeoNovember}} use DNSCALC-style encoding for communication encryption.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: Romeos
Names: Romeos, RomeoCore, Romeo-CoreOne, R-C1
Description: (Novetta) A large portion of the Lazarus Group’s RAT collection stems from a common core, Romeo-CoreOne (R-C1); the individual families that use R-C1 need only provide the scaffolding to support the R-C1 code. At a minimum, each family that is built upon R-C1 must provide an interface to their specific communications abstraction and a method by which to activate the R-C1 functionality. The general flow of execution for families that use R-C1 is as follows: 1. Dynamically load API functions 2. Perform any configuration management tasks that the family may require (e.g., loading the configuration, opening listening ports, establishing persistence) 3. Establish a communication channel with controlling endpoint 4. Pass off the channel to the R-C1 component There are five known families that are based on, or that incorporate, R-C1 (Figure 2-1): {{RomeoAlfa}}, {{RomeoBravo}}, {{RomeoCharlie}}, {{RomeoHotel}}, and {{RomeoNovember}}. In addition to the four families having commonality through the use of R-C1, two of the families, {{RomeoAlfa}} and {{RomeoHotel}}, share the distinctive fake TLS communication scheme and use the Caracachs encryption scheme as their underlying communication encryption. {{RomeoBravo}}, {{RomeoCharlie}}, and {{RomeoNovember}} use DNSCALC-style encoding for communication encryption.
Category: Malware
Type: Backdoor, Info stealer
Information: https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos
Last-card-change: 2020-04-23
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |