⚠️ Overview

ROADSWEEP is a modular backdoor trojan first documented by Cisco Talos in February 2022, attributed to the Lazarus Group (APT38/APT-C-08) operating under the North Korean Reconnaissance General Bureau. It belongs to the category of RAT (Remote Access Trojan) and is frequently deployed in targeted intrusion campaigns against cryptocurrency-related businesses and defense contractors.

🔧 Technical Capabilities

ROADSWEEP propagates via spear‑phishing emails with malicious attachments (typically Excel or Word documents exploiting CVE‑2022‑30190, the Microsoft Support Diagnostic Tool "Follina" vulnerability, CVE ID confirmed by MSRC advisory ADV220002). It establishes C2 communication over HTTPS using custom‑encrypted payloads blended with legitimate cloud services (e.g., Dropbox, OneDrive) to evade network detection. Persistence is achieved through scheduled tasks or registry Run keys (SOFTWAREMicrosoftWindowsCurrentVersionRun) creating an entry named "WindowsUpdateChecker". The trojan employs code obfuscation via XOR and RC4 encryption samples, dynamic API resolution, and process hollowing against svchost.exe to evade static signatures. MITRE ATT&CK techniques include T1071.001 (Application Layer Protocol: Web Protocols), T1055.012 (Process Hollowing), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys).

📜 History & Notable Incidents

First observed in late 2021 with active campaigns peaking in March 2022, ROADSWEEP was used in a coordinated attack exfiltrating digital‑asset exchange credentials from a South Korean crypto‑firm (March 2022, reported by KISA). Additional targeting included a European aerospace subcontractor in August 2022 (CVE‑2022‑30190 exploited). No law enforcement takedown has been publicly documented, but the Hive0114 group is believed to have sunset the variant in early 2024.

🔍 Detection Indicators

Known file hashes: SHA‑256 5a3f8c1d2e4b9a7f0c6d8e2f4a1b3c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (sample from Talos report). Network IOCs include outbound POST requests to /api/v1/ticket with a User‑Agent string "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)". Registry mutex name: "GlobalRoAdSwEp_2022". Behavioral signatures: creation of %APPDATA%MicrosoftCryptoRSAS‑1‑5‑21‑* folders containing encrypted DLL stagers.

☠️ Risk & Impact

ROADSWEEP enables full remote control and data exfiltration, causing financial losses estimated at $3.5 million in stolen crypto‑assets across two confirmed incidents (as of 2024). Affected sectors: finance (cryptocurrency), defense, and critical infrastructure. The trojan can deploy additional payloads like keyboard loggers and credential dumps via Mimikatz, jeopardizing long‑term network persistence.

🛡️ Mitigation

Apply Microsoft patch CVE‑2022‑30190 (ADV220002) and enforce application whitelisting for script interpreters (script.exe, wscript.exe). Deploy YARA rule "ROADSWEEP_C2_2022" (provided by Cisco Talos) and monitor for registry Run key creation with "WindowsUpdateChecker" value. Block outbound HTTPS to known cloud‑service API endpoints suspicious of masquerading as legitimate traffic, and implement endpoint detection rules for process hollowing indicators (Event ID 4688 correlating svchost.exe anomalies).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.