1. Home
  2. Software
  3. Cardinal RAT

Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]

ID: S0348
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 January 2019
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

Cardinal RAT can act as a reverse proxy.[1]
Enterprise T1112 修改注册表

Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[1]
Enterprise T1140 反混淆/解码文件或信息

Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Cardinal RAT can execute commands.[1]
Enterprise T1008 回退信道

Cardinal RAT can communicate over multiple C2 host and port combinations.[1]
Enterprise T1113 屏幕捕获

Cardinal RAT can capture screenshots.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Cardinal RAT is downloaded using HTTP over port 443.[1]
Enterprise T1560 .002 归档收集数据: Archive via Library

Cardinal RAT applies compression to C2 traffic using the ZLIB library.[1]
Enterprise T1083 文件和目录发现

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[1]
Enterprise T1012 查询注册表

Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[1]
Enterprise T1027 .004 混淆文件或信息: Compile After Delivery

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.[1]

Enterprise T1204 .002 用户执行: Malicious File

Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[1]
Enterprise T1070 .004 移除指标: File Deletion

Cardinal RAT can uninstall itself, including deleting its executable.[1]
Enterprise T1082 系统信息发现

Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[1]
Enterprise T1033 系统所有者/用户发现

Cardinal RAT can collect the username from a victim machine.[1]
Enterprise T1105 输入工具传输

Cardinal RAT can download and execute additional payloads.[1]
Enterprise T1056 .001 输入捕获: Keylogging

Cardinal RAT can log keystrokes.[1]
Enterprise T1057 进程发现

Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[1]
Enterprise T1055 进程注入

Cardinal RAT injects into a newly spawned process created from a native Windows executable.[1]

References

  1. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.