S0241 RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. 2 1
| Item | Value |
|---|---|
| ID | S0241 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 02 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | RATANKBA uses the net user command.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RATANKBA uses HTTP/HTTPS for command and control communication.21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.21 |
| enterprise | T1059.003 | Windows Command Shell | RATANKBA uses cmd.exe to execute commands.21 |
| enterprise | T1105 | Ingress Tool Transfer | RATANKBA uploads and downloads information.21 |
| enterprise | T1057 | Process Discovery | RATANKBA lists the system’s processes.21 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | RATANKBA performs a reflective DLL injection using a given pid.21 |
| enterprise | T1012 | Query Registry | RATANKBA uses the command reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings”.1 |
| enterprise | T1018 | Remote System Discovery | RATANKBA runs the net view /domain and net view commands.1 |
| enterprise | T1082 | System Information Discovery | RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.21 |
| enterprise | T1016 | System Network Configuration Discovery | RATANKBA gathers the victim’s IP address via the ipconfig -all command.21 |
| enterprise | T1049 | System Network Connections Discovery | RATANKBA uses netstat -ano to search for specific IP address ranges.1 |
| enterprise | T1033 | System Owner/User Discovery | RATANKBA runs the whoami and query user commands.1 |
| enterprise | T1007 | System Service Discovery | RATANKBA uses tasklist /svc to display running tasks.1 |
| enterprise | T1047 | Windows Management Instrumentation | RATANKBA uses WMI to perform process monitoring.21 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 2 |
References
-
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. ↩↩↩↩↩↩↩↩↩↩↩