Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Action RAT can use WMI to gather AV products installed on an infected host.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Action RAT can collect local data from an infected machine.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Action RAT can use Base64 to decode actor-controlled C2 server communications.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Action RAT can use |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Action RAT can use HTTP to communicate with C2 servers.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Action RAT has the ability to collect drive and file information on an infected machine.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Action RAT has the ability to collect the username from an infected host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Action RAT has the ability to collect the MAC address of an infected host.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Action RAT can identify AV products on an infected host using the following command: |
| Enterprise | T1105 | 输入工具传输 |
Action RAT has the ability to download additional payloads onto an infected machine.[1] |
|