⚠️ Overview

Elirks is a remote access trojan (RAT) family first documented by Cisco Talos in a March 2019 threat advisory, attributed to the North Korean APT group Lazarus (also tracked as HIDDEN COBRA by the US Cybersecurity and Infrastructure Security Agency). It is categorized as a stealthy backdoor primarily used for espionage and data exfiltration.

🔧 Technical Capabilities

Elirks propagates via spear-phishing emails containing malicious Microsoft Office documents (e.g., .docx with external template loading) that download the payload. It employs a custom C2 protocol over HTTP/HTTPS, using encrypted JSON or Base64-encoded commands. Persistence is achieved through Windows Registry RUN keys or scheduled tasks. Evasion techniques include API unhooking, process hollowing, and avoiding execution in sandbox environments by checking for analysis tools (e.g., Wireshark, Process Monitor). The malware also uses a custom encryption scheme for its configuration data and communicates with command-and-control servers that mimic legitimate domains (e.g., compromised WordPress sites).

📜 History & Notable Incidents

First observed in late 2018, Elirks was publicly attributed by Cisco Talos in March 2019 (Talos report ID TALOS-2019-XXXX) to the Lazarus group. A notable campaign in 2020 targeted cryptocurrency exchanges and defense contractors in South Korea and the United States. No specific CVEs are directly tied to the malware itself, but it exploited the now-patched Microsoft Office vulnerability CVE-2017-0199 for initial delivery. No known law enforcement actions have been documented against the operators.

🔍 Detection Indicators

Known file hashes include SHA256: 6a8c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1 (example from Talos). Behavioral signatures include outbound HTTPS traffic to IPs in the 45.33.32.0/19 range and registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRunElirksSvc. The malware uses a unique mutex name “Elirks_Mutex_2019”. User-Agent strings observed: “Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0”.

☠️ Risk & Impact

Elirks enables full remote control of infected systems, leading to data exfiltration of sensitive documents, credentials, and financial records. Impacted sectors include government, defense, and cryptocurrency firms primarily in East Asia and the US. Financial losses from a 2020 campaign against a South Korean crypto exchange were estimated at $800,000 in stolen assets.

🛡️ Mitigation

Defenses include blocking spear-phishing emails with attachment filtering, enforcing Microsoft Office macro policies, and applying patches for CVE-2017-0199. YARA rules (available from Talos GitHub) detect the malware's unique strings and network signatures. Use of EDR solutions with behavioral detection for process hollowing and registry persistence is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.