Rclone
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Rclone can compress files using `gzip` prior to exfiltration.(Citation: Rclone) |
| Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.(Citation: Rclone) |
| .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.(Citation: Rclone) |
||
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.(Citation: Rclone)(Citation: DFIR Conti Bazar Nov 2021) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1032 | INC Ransom |
(Citation: Huntress INC Ransomware May 2024) |
|
(Citation: DFIR Conti Bazar Nov 2021) |
||
| G1003 | Ember Bear |
(Citation: CISA GRU29155 2024) |
| G1024 | Akira |
(Citation: Arctic Wolf Akira 2023) |
| G1021 | Cinnamon Tempest |
(Citation: Sygnia Emperor Dragonfly October 2022) |
References
- Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.
- Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
- Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.
- Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
- Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.