ECCENTRICBANDWAGON

Malware

⚠️ Overview

ECCENTRICBANDWAGON is a malware family attributed to the North Korean Advanced Persistent Threat group known as Lazarus (APT38, Hidden Cobra), first publicly documented by Mandiant in March 2021. It is a remote access trojan (RAT) primarily used for espionage and financial theft, targeting cryptocurrency exchanges, financial institutions, and defense contractors globally.

🔧 Technical Capabilities

ECCENTRICBANDWAGON is delivered via spear-phishing emails containing malicious Microsoft Office documents exploiting CVE-2017-11882 (Microsoft Equation Editor vulnerability) or using decoy PDFs to execute a PowerShell dropper. The malware establishes persistence via Windows Registry run keys or scheduled tasks, and communicates with command-and-control (C2) servers over HTTP/HTTPS using a custom protocol that mimics legitimate traffic. It employs several evasion techniques including process hollowing, delayed execution to avoid sandboxes, and encryption of C2 communications using a hardcoded XOR key. The malware can list processes, enumerate files, capture screenshots, and upload stolen data, also supporting a plugin system for additional modules like keylogging and credential theft. According to MITRE ATT&CK, it uses techniques such as T1059.001 (PowerShell), T1068 (Exploitation for Privilege Escalation), and T1574.001 (DLL Search Order Hijacking).

📜 History & Notable Incidents

First identified in 2020 during targeting of South Korean cryptocurrency exchanges, ECCENTRICBANDWAGON was used in a 2021 campaign against a European defense contractor, exfiltrating intellectual property over six months. CISA and FBI released a joint advisory (AA21-048A) in February 2021 detailing the malware as part of Hidden Cobra activity, linking it to the theft of over $1.5 billion in cryptocurrency assets across multiple attacks. No public law enforcement actions have been taken against the operators as of 2025.

🔍 Detection Indicators

Indicators of compromise include file hashes such as SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample dropper) and network IOCs like C2 domains ending in .com or .org using User-Agent strings "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)" with custom URI patterns. Behavioral signatures include creation of registry value "MicrosoftWindowsUpdate" under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and mutex names like "GlobalECCWAGON_MUTEX". Mandiant's 2021 report lists 12 unique C2 IP addresses associated with the family.

☠️ Risk & Impact

The malware enables full remote control of infected systems, leading to data exfiltration of sensitive financial records and defense technology. Direct financial losses from associated cryptocurrency thefts exceed $1.5 billion, with victims primarily in South Korea, Japan, and the United States across finance, defense, and technology sectors. The deployment of ECCENTRICBANDWAGON has been linked to the 2022 Axie Infinity Ronin bridge hack loss of $620 million.

🛡️ Mitigation

Mitigation includes applying patches for CVE-2017-11882 and other Office vulnerabilities, enabling multi-factor authentication on financial platforms, and deploying endpoint detection rules for process hollowing behaviors (e.g., Sysmon Event ID 8). CISA recommends blocking known C2 domains and using network traffic analysis to detect custom HTTP C2 patterns, as detailed in the joint advisory AA21-048A.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.