Malware
Torisma
Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.
Torisma is a Windows malware family operated by Lazarus Group.
Background
Torisma is an elaborate HTTP(S) downloader that can act as an orchestrator, managing the execution of further payloads delivered from the C&C server.
Network traffic between client and server is encrypted and decrypted using VEST-32.
Its HTTP POST requests generally rely on the parameter names ACTION, CODE, CACHE, REQUEST, RES, and the initial request includes the victim's MAC address.
To confirm successful authentication, the server replies with "Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}". The client then asks the server for more data, which decrypts into shellcode along with its data parameters and is executed. It also sets up a named pipe, \.\pipe\fb4d1181bb09b484d058768598b, enabling inter-process communication with the running shellcode.
Torisma was typically dropped by NedDnLoader and used in the Operation DreamJob campaigns beginning around Q4 2019.
Source: Malpedia (Fraunhofer FKIE).