1. Home
  2. Software
  3. MarkiRAT

MarkiRAT

MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[1]

ID: S0652
Type: MALWARE
Platforms: Windows
Contributors: Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 28 September 2021
Last Modified: 25 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

MarkiRAT can use BITS Utility to connect with the C2 server.[1]
Enterprise T1555 .005 从密码存储中获取凭证: Password Managers

MarkiRAT can gather information from the Keepass password manager.[1]

Enterprise T1005 从本地系统获取数据

MarkiRAT can upload data from the victim's machine to the C2 server.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.[1]
Enterprise T1115 剪贴板数据

MarkiRAT can capture clipboard content.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[1]
.009 启动或登录自动启动执行: Shortcut Modification

MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.[1]
Enterprise T1113 屏幕捕获

MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

MarkiRAT can store collected data locally in a created .nfo file.[1]
Enterprise T1083 文件和目录发现

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.[1]
Enterprise T1106 本机API

MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.[1]
Enterprise T1614 .001 系统位置发现: System Language Discovery

MarkiRAT can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian.[1]
Enterprise T1082 系统信息发现

MarkiRAT can obtain the computer name from a compromised host.[1]
Enterprise T1033 系统所有者/用户发现

MarkiRAT can retrieve the victim’s username.[1]
Enterprise T1518 软件发现

MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.[1]
.001 Security Software Discovery

MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.[1]
Enterprise T1105 输入工具传输

MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[1]
Enterprise T1056 .001 输入捕获: Keylogging

MarkiRAT can capture all keystrokes on a compromised host.[1]
Enterprise T1057 进程发现

MarkiRAT can search for different processes on a system.[1]
Enterprise T1041 通过C2信道渗出

MarkiRAT can exfiltrate locally stored data via its C2.[1]

Groups That Use This Software

ID Name References
G0137 Ferocious Kitten

[1]

References

  1. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.