Home Malware Programs Spyware Torisma Spyware

Torisma Spyware

Posted: November 9, 2020

The Torisma Spyware is a threatening implant used by the North Korean hackers known as the Lazarus APT or Hidden Cobra APT. They are one of the most active Advanced Persistent Threat (APT) groups, and their attacks are concentrated on entities in the aerospace, military and defense sectors usually. The Torisma Spyware, in particular, has been used in attacks against targets in the defense and aerospace sectors. The spyware's primary goal is to gather valuable information from the compromised networks without any obvious trouble.

North Korean Hackers Deploy the Torisma Spyware to Precisely Chosen Systems

Just like other attacks of the Hidden Cobra APT, this one also involves several stages and a large number of checks to prevent the malware from running on computers that the attackers are not interested in. Allegedly, the Torisma Spyware is delivered as a second-stage implant after the hackers manage to infect a network with an unidentified first-stage payload. The attack is executed via spear-phishing emails that target the defense and aerospace industries of Israel, Russia, Australia and India. The Lazarus APT hackers also are leveraging compromised legitimate websites that have been transformed into Command-and-Control servers.

The first-stage implant gathers basic system information about the infected system, and it also checks if its IP address matches one of the IP addresses found in a pre-defined list of targets. If an equivalent is found, the malware will proceed to try and deploy the Torisma Spyware. This basic but effective check helps the Torisma Spyware keep its activity under the radar and only runs on selected targets.

Once up and running, the Torisma Spyware could provide the attackers with access to more information about the infected system, as well as the ability to spy on users, collect credentials and specific types of files. The state-sponsored Hidden Cobra hackers are one of the largest threats in the world of cybersecurity, and they are a constant problem because of their ever-evolving malware arsenal.