TAINTEDSCRIBE

TAINTEDSCRIBE is a malware implant that the hackers from the HIDDEN COBRA (Lazarus APT) group have used against their targets in the past couple of years. The purpose of TAINTEDSCRIBE is to provide the attacker with backdoor access to the compromised system silently, as well as with the ability to perform several actions.

When the TAINTEDSCRIBE implant is delivered to a vulnerable host, it will disguise its payload under the name 'Narrator.exe.' In addition to this, it attempts to impersonate the popular 'Microsoft Narrator' utility that is found on many modern computers.

To gain persistence, the 'Narrator.exe' payload will be added to the Windows Startup folder.

While TAINTEDSCRIBE is active, the attackers could send commands that can be used to execute the following tasks:

• Open a remote shell.
• Delete files.
• List directories and files.
• Compress and extract files from the infected system to the control server.
• Send files from the remote server to the victim.
• Manage running processes and Windows services.
• Renew the implant's configuration.
• Delete a directory and all files stored in it.

While it is likely that TAINTEDSCRIBE is used for espionage and data collection, some of its modules hint that it also might serve the purpose of causing damage to the infected system by deleting valuable folders and files.

Many of HIDDEN COBRA's previous attacks relied on email attachments to deliver the harmful payload to their victims, and it is very likely that the TAINTEDSCRIBE is being delivered via the same tricks. Companies and institutions can secure their networks by using up-to-date anti-virus solutions and teaching their employees to spot and avoid suspicious files.