ComRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ComRAT has used HTTP requests for command and control.[2][3][4] |
| .003 | Application Layer Protocol: Mail Protocols |
ComRAT can use email attachments for command and control.[3] |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[3][4] |
| .003 | Command and Scripting Interpreter: Windows Command Shell | |||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[3][4] |
|
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[3][4] |
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location |
| Enterprise | T1564 | .005 | Hide Artifacts: Hidden File System |
ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.[3] |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
ComRAT has used a task name associated with Windows SQM Consolidator.[3] |
| Enterprise | T1112 | Modify Registry |
ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key.[3][4] |
|
| Enterprise | T1106 | Native API |
ComRAT can load a PE file from memory or the file system and execute it with |
|
| Enterprise | T1027 | Obfuscated Files or Information |
ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also embedded an XOR encrypted communications module inside the orchestrator module. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.[3][4] |
|
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[3][4] |
| Enterprise | T1012 | Query Registry |
ComRAT can check the default browser by querying |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
ComRAT has used a scheduled task to launch its PowerShell loader.[3][4] |
| Enterprise | T1029 | Scheduled Transfer |
ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).[3] |
|
| Enterprise | T1518 | Software Discovery |
ComRAT can check the victim's default browser to determine which process to inject its communications module into.[3] |
|
| Enterprise | T1124 | System Time Discovery |
ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[4] |
|
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.[3][4] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla |