ComRAT
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ComRAT has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| .003 | Application Layer Protocol: Mail Protocols |
ComRAT can use email attachments for command and control.(Citation: ESET ComRAT May 2020) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
ComRAT has used |
||
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location |
| Enterprise | T1564 | .005 | Hide Artifacts: Hidden File System |
ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.(Citation: ESET ComRAT May 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
ComRAT has used a task name associated with Windows SQM Consolidator.(Citation: ESET ComRAT May 2020) |
| Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
ComRAT has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0010 | Turla |
(Citation: Unit 42 IronNetInjector February 2021 ) (Citation: Secureworks IRON HUNTER Profile) (Citation: Symantec Waterbug) |
References
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
- Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.