Skip to content

S0149 MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. 1

Item Value
ID S0149
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MoonWind can execute commands via an interactive command shell.1 MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging MoonWind saves information from its keylogging routine as a .zip file in the present working directory.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography MoonWind encrypts C2 traffic using RC4 with a static key.1
enterprise T1083 File and Directory Discovery MoonWind has a command to return a directory listing for a specified directory.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion MoonWind can delete itself or specified files.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging MoonWind has a keylogger.1
enterprise T1095 Non-Application Layer Protocol MoonWind completes network communication via raw sockets.1
enterprise T1571 Non-Standard Port MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.1
enterprise T1120 Peripheral Device Discovery MoonWind obtains the number of removable drives from the victim.1
enterprise T1057 Process Discovery MoonWind has a command to return a list of running processes.1
enterprise T1082 System Information Discovery MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.1
enterprise T1016 System Network Configuration Discovery MoonWind obtains the victim IP address.1
enterprise T1033 System Owner/User Discovery MoonWind obtains the victim username.1
enterprise T1124 System Time Discovery MoonWind obtains the victim’s current time.1