Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)

ID: S0495

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 28 Jul 2020

Last Modified: 15 Oct 2020

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.(Citation: Unit42 RDAT July 2020)
		.003	Application Layer Protocol: Mail Protocols	RDAT can use email attachments for C2 communications.(Citation: Unit42 RDAT July 2020)
		.004	Application Layer Protocol: DNS	RDAT has used DNS to communicate with the C2.(Citation: Unit42 RDAT July 2020)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	RDAT has executed commands using `cmd.exe /c`.(Citation: Unit42 RDAT July 2020)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	RDAT has created a service when it is installed on the victim machine.(Citation: Unit42 RDAT July 2020)
Enterprise	T1132	.001	Data Encoding: Standard Encoding	RDAT can communicate with the C2 via base32-encoded subdomains.(Citation: Unit42 RDAT July 2020)
		.002	Data Encoding: Non-Standard Encoding	RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.(Citation: Unit42 RDAT July 2020)
Enterprise	T1001	.002	Data Obfuscation: Steganography	RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.(Citation: Unit42 RDAT July 2020)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	RDAT has used AES ciphertext to encode C2 communications.(Citation: Unit42 RDAT July 2020)
Enterprise	T1070	.004	Indicator Removal: File Deletion	RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.(Citation: Unit42 RDAT July 2020)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	RDAT has used Windows Video Service as a name for malicious services.(Citation: Unit42 RDAT July 2020)
		.005	Masquerading: Match Legitimate Name or Location	RDAT has masqueraded as VMware.exe.(Citation: Unit42 RDAT July 2020)
Enterprise	T1027	.003	Obfuscated Files or Information: Steganography	RDAT can also embed data within a BMP image prior to exfiltration.(Citation: Unit42 RDAT July 2020)

ID	Name	References
Groups That Use This Software
G0049	OilRig	(Citation: Unit42 RDAT July 2020)

References

Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

RDAT

Techniques Used

Groups That Use This Software

References