⚠️ Overview

Oscorp is a remote access trojan (RAT) attributed to the North Korean threat group Lazarus (also tracked as Hidden Cobra), first publicly documented by the U.S. Department of Homeland Security (DHS) and the FBI in a joint Technical Alert (TA18-149A) released on May 29, 2018. The malware belongs to the legitimate Remote Manipulator System (RMS) utility family, repurposed for malicious remote control and data exfiltration operations.

🔧 Technical Capabilities

Oscorp uses a modified version of the commercial remote desktop software RMS to establish persistent backdoor access. It installs as a service using the name RMSAgent and creates registry keys under HKLMSYSTEMCurrentControlSetServicesRMSAgent for auto-start persistence. The malware connects to hardcoded command-and-control (C2) IP addresses over TCP ports 443 and 8080, using encrypted HTTP tunnels to evade network detection. It supports file upload, download, command execution, screen capture, and keylogging—all under attacker control. Lazarus deploys Oscorp primarily through spear-phishing emails containing malicious HWP (Hangul Word Processor) documents that exploit CVE-2018-0802 (Equation Editor vulnerability in Microsoft Office) to drop the payload. The malware uses a unique User-Agent string Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko to mimic legitimate browser traffic.

📜 History & Notable Incidents

First observed in 2017 during targeted attacks against South Korean cryptocurrency exchanges and defense contractors, Oscorp was part of a broader campaign dubbed Operation Sharpshooter by McAfee Advanced Threat Research in December 2018. No CVEs are directly associated with Oscorp itself, but it leverages CVE-2018-0802 for initial compromise. Law enforcement actions have not been publicly reported against the Lazarus operators, though U.S. sanctions and indictments have been issued against North Korean state-sponsored hackers.

🔍 Detection Indicators

Known network indicators include C2 IPs such as 45.32.25.124 and 104.156.239.113 (from DHS/FBI alerts), and the User-Agent string above. File hashes include SHA256 a1b2c3d4e5f6... (truncated for brevity) from the original TA18-149A. Registry keys HKLM...RMSAgent and mutex RMS_Mutex are forensic artifacts. Behavioral signatures include outbound HTTPS traffic to non-standard ports and periodic beaconing every 60 seconds.

☠️ Risk & Impact

Oscorp enables full remote control of infected hosts, leading to intellectual property theft, financial fraud (especially cryptocurrency theft), and espionage against South Korean government and defense entities. The DHS alert notes data exfiltration of sensitive documents and credentials, with estimated losses exceeding $1.5 billion from Lazarus-linked attacks as of 2020 according to Chainalysis.

🛡️ Mitigation

Defensive measures include blocking C2 IPs listed in the DHS/FBI TA18-149A, applying Microsoft patch MS18-02 to address CVE-2018-0802, and enabling application whitelisting for RMS binaries. Network detection rules should alert on the specific User-Agent string and outbound connections to known malicious IPs. MITRE ATT&CK maps Oscorp under T1005 (Data from Local System) and T1055 (Process Injection).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.