Skip to content

S0126 ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.123

Item Value
ID S0126
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 23 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ComRAT has used HTTP requests for command and control.234
enterprise T1071.003 Mail Protocols ComRAT can use email attachments for command and control.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.34
enterprise T1059.003 Windows Command Shell ComRAT has used cmd.exe to execute commands.3
enterprise T1140 Deobfuscate/Decode Files or Information ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.34
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.34
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32.2
enterprise T1564 Hide Artifacts -
enterprise T1564.005 Hidden File System ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.3
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service ComRAT has used a task name associated with Windows SQM Consolidator.3
enterprise T1112 Modify Registry ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key.34
enterprise T1106 Native API ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.3
enterprise T1027 Obfuscated Files or Information ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also embedded an XOR encrypted communications module inside the orchestrator module. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.34
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim’s default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.34
enterprise T1012 Query Registry ComRAT can check the default browser by querying HKCR\http\shell\open\command.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task ComRAT has used a scheduled task to launch its PowerShell loader.34
enterprise T1029 Scheduled Transfer ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).3
enterprise T1518 Software Discovery ComRAT can check the victim’s default browser to determine which process to inject its communications module into.3
enterprise T1124 System Time Discovery ComRAT has checked the victim system’s date and time to perform tasks during business hours (9 to 5, Monday to Friday).4
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.34

Groups That Use This Software

ID Name References
G0010 Turla 156

References

Back to top