Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

MarkiRAT

MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

ID: S0652

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 28 Sep 2021

Last Modified: 25 Oct 2021

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.(Citation: Kaspersky Ferocious Kitten Jun 2021)
		.009	Boot or Logon Autostart Execution: Shortcut Modification	MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1555	.005	Credentials from Password Stores: Password Managers	MarkiRAT can gather information from the Keepass password manager.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1074	.001	Data Staged: Local Data Staging	MarkiRAT can store collected data locally in a created .nfo file.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1056	.001	Input Capture: Keylogging	MarkiRAT can capture all keystrokes on a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	MarkiRAT can masquerade as `update.exe` and `svehost.exe`; it has also mimicked legitimate Telegram and Chrome files.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	MarkiRAT can use the `GetKeyboardLayout` API to check if a compromised host's keyboard is set to Persian.(Citation: Kaspersky Ferocious Kitten Jun 2021)

ID	Name	References
Groups That Use This Software
G0137	Ferocious Kitten	(Citation: Kaspersky Ferocious Kitten Jun 2021)

References

GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

MarkiRAT

Techniques Used

Groups That Use This Software

References