S0055 RARSTONE
RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. 1
| Item | Value |
|---|---|
| ID | S0055 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1083 | File and Directory Discovery | RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.2 |
| enterprise | T1105 | Ingress Tool Transfer | RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.1 |
| enterprise | T1095 | Non-Application Layer Protocol | RARSTONE uses SSL to encrypt its communication with its C2 server.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0019 | Naikon | 34 |
References
-
Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015. ↩↩↩
-
Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016. ↩↩
-
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. ↩
-
ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China’s Unit 78020. Retrieved December 17, 2015. ↩