S0126 ComRAT
ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.321
| Item | Value |
|---|---|
| ID | S0126 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.4 |
| Created | 31 May 2017 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ComRAT has used HTTP requests for command and control.214 |
| enterprise | T1071.003 | Mail Protocols | ComRAT can use email attachments for command and control.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.14 |
| enterprise | T1059.003 | Windows Command Shell | ComRAT has used cmd.exe to execute commands.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.14 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.14 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.005 | Hidden File System | ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | ComRAT has used a task name associated with Windows SQM Consolidator.1 |
| enterprise | T1112 | Modify Registry | ComRAT has modified Registry values to store encrypted orchestrator code and payloads.14 |
| enterprise | T1106 | Native API | ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.1 |
| enterprise | T1027 | Obfuscated Files or Information | ComRAT has encrypted its virtual file system using AES-256 in XTS mode.14 |
| enterprise | T1027.009 | Embedded Payloads | ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.14 |
| enterprise | T1027.010 | Command Obfuscation | ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.14 |
| enterprise | T1027.011 | Fileless Storage | ComRAT has stored encrypted orchestrator code and payloads in the Registry.14 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim’s default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.14 |
| enterprise | T1012 | Query Registry | ComRAT can check the default browser by querying HKCR\http\shell\open\command.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | ComRAT has used a scheduled task to launch its PowerShell loader.14 |
| enterprise | T1029 | Scheduled Transfer | ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).1 |
| enterprise | T1518 | Software Discovery | ComRAT can check the victim’s default browser to determine which process to inject its communications module into.1 |
| enterprise | T1124 | System Time Discovery | ComRAT has checked the victim system’s date and time to perform tasks during business hours (9 to 5, Monday to Friday).4 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.14 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 356 |
References
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016. ↩↩↩
-
Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. ↩↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. ↩
-
Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022. ↩