Threat Report: What is AuditCred DLL and How Does it Work?

The AuditCred DLL was used by the Lazarus Group in their 2018 attacks. AuditCred can search through files in a system, inject code from files to other running processes, delete files from the system, open a reverse shell on the system to execute commands, and utilize proxy for communications. AuditCred is installed as a new service on the system, and it can utilize XOR and RC4 to perform decryption on code functions.

AuditCred Malware Capabilities:

AuditCred is malware that may be used to enumerate files and directories, inject code into processes, transfer tools or files, and use a connection proxy to direct network traffic.

• AuditCred may search for certain information within a file system, inject code into processes, and delete files. These actions may allow access to process memory, system resources, and possibly elevated privileges.
• AuditCred may abuse the Windows command shell for execution. This technique has been deprecated. Please use [Non-Standard Port] where appropriate.AuditCred may transfer tools or other files from an external system into a compromised environment. 
• AuditCred may use obfuscated files or information to hide artifacts of an intrusion from forensic analysis. They may create or modify Windows services to repeatedly execute malicious payloads as part of establishing persistence, and may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server.

Ways to Mitigate AuditCred Malware Attacks Capabilities

• One way to prevent AuditCred from compromising your sistem is do this is by monitoring Windows API calls that may be indicative of code injection. Another way is to monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network.
•  Analyzing packet contents can help detect communications that do not follow the expected protocol behavior for the port that is being used.Monitoring for file creation and files transferred into the network can also help identify potential AuditCred malware attacks. 
• The best way to mitigate AuditCred malware attacks is to detect and monitor potentially malicious behavior related to scripts, system utilities, and service binary paths. Network data should also be analyzed for unusual data flows.