1. Home
  2. Software
  3. Rclone

Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[1][2][3][4][5]

ID: S1040
Type: TOOL
Platforms: Linux, Windows, macOS
Contributors: Edward Millington; Ian McKay
Version: 1.1
Created: 30 August 2022
Last Modified: 04 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 归档收集数据: Archive via Utility

Rclone can compress files using gzip prior to exfiltration.[1]
Enterprise T1030 数据传输大小限制

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[1][5]
Enterprise T1083 文件和目录发现

Rclone can list files and directories with the ls, lsd, and lsl commands.[1]
Enterprise T1048 .002 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.[1]
.003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.[1][5]

Groups That Use This Software

ID Name References
G1032 INC Ransom

[6]
G1003 Ember Bear

Ember Bear has used Rclone to exfiltrate information from victim environments.[7]
G1024 Akira

[8]
G1021 Cinnamon Tempest

[9]

Campaigns

ID Name Description
C0015 C0015

[5]

References

  1. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  2. Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.
  3. Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022.
  4. Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.
  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  1. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  2. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  3. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  4. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.