Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)
ID: S0126
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 22 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ComRAT has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

.003 Application Layer Protocol: Mail Protocols

ComRAT can use email attachments for command and control.(Citation: ESET ComRAT May 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

ComRAT has used cmd.exe to execute commands.(Citation: ESET ComRAT May 2020)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32.(Citation: NorthSec 2015 GData Uroburos Tools)

Enterprise T1564 .005 Hide Artifacts: Hidden File System

ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.(Citation: ESET ComRAT May 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

ComRAT has used a task name associated with Windows SQM Consolidator.(Citation: ESET ComRAT May 2020)

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

.010 Obfuscated Files or Information: Command Obfuscation

ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

.011 Obfuscated Files or Information: Fileless Storage

ComRAT has stored encrypted orchestrator code and payloads in the Registry.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ComRAT has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Enterprise T1102 .002 Web Service: Bidirectional Communication

ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Groups That Use This Software

ID Name References
G0010 Turla

(Citation: Unit 42 IronNetInjector February 2021 ) (Citation: Secureworks IRON HUNTER Profile) (Citation: Symantec Waterbug)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.