RDAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
RDAT has used Windows Video Service as a name for malicious services.[1] |
| .005 | 伪装: Match Legitimate Name or Location | |||
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
RDAT has created a service when it is installed on the victim machine.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
RDAT has used AES ciphertext to encode C2 communications.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1008 | 回退信道 |
RDAT has used HTTP if DNS C2 communications were not functioning.[1] |
|
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.[1] |
| .003 | 应用层协议: Mail Protocols | |||
| .004 | 应用层协议: DNS | |||
| Enterprise | T1030 | 数据传输大小限制 |
RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[1] |
|
| Enterprise | T1001 | 数据混淆 |
RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.[1] |
|
| .002 | Steganography |
RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.[1] |
||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
RDAT can communicate with the C2 via base32-encoded subdomains.[1] |
| .002 | 数据编码: Non-Standard Encoding |
RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.[1] |
||
| Enterprise | T1027 | .003 | 混淆文件或信息: Steganography |
RDAT can also embed data within a BMP image prior to exfiltration.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.[1] |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1041 | 通过C2信道渗出 |
RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.[1] |
|