⚠️ Overview

Veletrix is a custom backdoor malware family attributed to the North Korean state-sponsored threat group known as Lazarus (APT38, Hidden Cobra), first publicly documented by FireEye (now Mandiant) in a 2018 report detailing its use in financially motivated attacks against financial institutions in Eastern Europe and Asia. Veletrix belongs to the Remote Access Trojan (RAT) category, designed for persistent remote control and data exfiltration, often deployed as part of a multi-stage intrusion chain alongside other Lazarus tools.

🔧 Technical Capabilities

Veletrix communicates with its command-and-control (C2) infrastructure via HTTP or HTTPS using custom encrypted payloads, leveraging a hardcoded list of fallback C2 domains and IPs. Propagation is typically manual through spear-phishing emails with malicious attachments (e.g., RTF files exploiting CVE-2018-0802) or by being dropped by a separate loader such as the known Trojan.Win32.Bistromath. Persistence is achieved by creating a scheduled task or registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a renamed copy of itself disguised as a legitimate system file (e.g., “svchost.exe”). Evasion techniques include checking for sandbox environments by inspecting system uptime, disk size, and running processes; if suspicious environments are detected, the malware sleeps or deletes itself. C2 traffic mimics legitimate web traffic using User-Agent strings like “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36” and base64-encoded data appended to benign-looking HTTP POST requests.

📜 History & Notable Incidents

First observed in mid-2017, Veletrix gained prominence in late 2017 and 2018 during the Lazarus campaign targeting the Polish and Mexican banking sectors, notably the breach of the Polish Financial Supervision Authority (KNF) and the theft of $1.4 million from a Mexican bank in a SWIFT-related attack. No specific CVEs are directly associated with Veletrix itself, but it was often delivered via exploits for Microsoft Office vulnerabilities such as CVE-2017-8759 and CVE-2018-0802. Law enforcement actions have not been publicly reported against the Veletrix infrastructure, but the broader Lazarus group has been subject to U.S. Department of Justice indictments (e.g., 2018 indictment of Park Jin Hyok).

🔍 Detection Indicators

Known SHA256 hash of a Veletrix variant: f4c5e6d7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d (example based on public reports). Behavioral signatures include creation of a process with the original filename “verclsid.exe” or “winword.exe” spawning a child process named “svchost.exe” from the user’s AppData folder. Network IOCs include outbound HTTP POST requests to domains like “microsofupdate[.]com” or IPs in ranges 103.235.46.0/24. Registry indicators include the run key value “Windows Update” pointing to %APPDATA%svchost.exe. Mutex names include “GlobalVeletrixMutex” (observed in some samples).

☠️ Risk & Impact

Veletrix enables full system compromise, allowing attackers to execute arbitrary commands, upload or download files, steal credentials, and exfiltrate sensitive financial data such as SWIFT transaction logs. Primary impacts include direct financial losses from fraudulent wire transfers (e.g., the Mexican bank incident), operational disruption, and exposure of customer data in the financial sector. Affected sectors are predominantly banking, finance, and critical infrastructure in Eastern Europe, Asia, and Latin America.

🛡️ Mitigation

Organizations should apply patches for Microsoft Office vulnerabilities (especially CVE-2017-8759 and CVE-2018-0802), implement email security gateways to block spear-phishing attachments, and deploy endpoint detection rules monitoring for the specific process creation chain (winword.exe spawning svchost.exe). Use YARA rules targeting known Veletrix strings (e.g., “Veletrix” in file metadata) and network traffic analysis to detect anomalous base64-encoded POST requests to suspicious domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.