S0149 MoonWind
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. 1
| Item | Value |
|---|---|
| ID | S0149 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 25 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | MoonWind can execute commands via an interactive command shell.1 MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | MoonWind saves information from its keylogging routine as a .zip file in the present working directory.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | MoonWind encrypts C2 traffic using RC4 with a static key.1 |
| enterprise | T1083 | File and Directory Discovery | MoonWind has a command to return a directory listing for a specified directory.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | MoonWind can delete itself or specified files.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | MoonWind has a keylogger.1 |
| enterprise | T1095 | Non-Application Layer Protocol | MoonWind completes network communication via raw sockets.1 |
| enterprise | T1571 | Non-Standard Port | MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.1 |
| enterprise | T1120 | Peripheral Device Discovery | MoonWind obtains the number of removable drives from the victim.1 |
| enterprise | T1057 | Process Discovery | MoonWind has a command to return a list of running processes.1 |
| enterprise | T1082 | System Information Discovery | MoonWind can obtain the victim hostname, Windows version, RAM amount, and screen resolution.1 |
| enterprise | T1016 | System Network Configuration Discovery | MoonWind obtains the victim IP address.1 |
| enterprise | T1033 | System Owner/User Discovery | MoonWind obtains the victim username.1 |
| enterprise | T1124 | System Time Discovery | MoonWind obtains the victim’s current time.1 |