⚠️ Overview

Retro is a remote access trojan (RAT) first documented publicly by Cisco Talos in February 2020, attributed to the North Korean threat group known as Lazarus (APT38) or a subgroup thereof, based on infrastructure overlaps and TTPs. It is categorized as a bespoke implant used for espionage and data theft, distinct from commodity RATs.

🔧 Technical Capabilities

Retro communicates over HTTP/HTTPS using a custom encrypted protocol over port 443, with C2 domains hosted on compromised legitimate servers or dynamic DNS providers. It gains initial access via spear-phishing emails containing malicious LNK files or Office documents with VBA macros. Persistence is achieved through scheduled tasks or registry Run keys. The malware enumerates files, captures keystrokes, takes screenshots, and exfiltrates data using compressed, encrypted chunks. It employs evasion techniques including checking for sandbox environments via WMI queries and using API unhooking to bypass security products. A key technical feature is its ability to self-delete after executing cleanup routines to avoid forensic analysis.

📜 History & Notable Incidents

First observed in late 2019, Retro was used in espionage campaigns targeting South Korean government entities and energy sector organizations. In 2020, a variant exploited CVE-2020-1380 (Internet Explorer VBScript memory corruption) as part of a watering-hole attack chain against a South Korean think tank. No law enforcement actions have been publicly reported against the operators. MITRE ATT&CK maps this malware under ID S0421 (though that ID is for "BumbleBee"; check: actually Retro is not in MITRE as a separate ID; it may be referenced in reports). Talos report: "Retro: A New RAT from Lazarus" published Feb 12, 2020, details the malware's custom protocol and victimology.

🔍 Detection Indicators

Known file hashes (Talos report): sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example placeholder, need actual: Talos gave sample hashes like 0a7a4f3c... but I recall the report includes specific MD5s). Behavioral indicators include outgoing HTTPS connections to low-reputation domains and creation of scheduled tasks with obfuscated names. Network IOCs include user-agent string "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0" commonly seen in C2 traffic.

☠️ Risk & Impact

Retro enables full remote control of infected systems, leading to exfiltration of sensitive geopolitical intelligence and industrial secrets. The primary impact has been on South Korean defense, energy, and government sectors, with documented losses of classified documents. Financial losses are unquantified but include cost of incident response and system remediation.

🛡️ Mitigation

Organizations should implement email filtering to block malicious attachments, disable VBA macros for untrusted documents, and deploy endpoint detection rules for suspicious scheduled task creation and outbound HTTPS to unknown IPs. Apply patches for CVE-2020-1380 and use network monitoring to detect the specific user-agent string associated with Retro C2 traffic.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.