RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[1][2] |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
RATANKBA uses HTTP/HTTPS for command and control communication.[1][2] |
| Enterprise | T1012 | 查询注册表 |
RATANKBA uses the command |
|
| Enterprise | T1082 | 系统信息发现 |
RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1049 | 系统网络连接发现 |
RATANKBA uses |
|
| Enterprise | T1016 | 系统网络配置发现 |
RATANKBA gathers the victim’s IP address via the |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account | |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
RATANKBA performs a reflective DLL injection using a given pid.[1][2] |
| Enterprise | T1018 | 远程系统发现 |
RATANKBA runs the |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |