1. Home
  2. Software
  3. RARSTONE

RARSTONE

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [1]

ID: S0055
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1083 File and Directory Discovery

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[2]
Enterprise T1105 Ingress Tool Transfer

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[1]
Enterprise T1095 Non-Application Layer Protocol

RARSTONE uses SSL to encrypt its communication with its C2 server.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[2]

Groups That Use This Software

ID Name References
G0019 Naikon

[3][4]

References

  1. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  2. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  2. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.