Skip to content


RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. 2 1

Item Value
ID S0241
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 02 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account RATANKBA uses the net user command.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RATANKBA uses HTTP/HTTPS for command and control communication.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.21
enterprise T1059.003 Windows Command Shell RATANKBA uses cmd.exe to execute commands.21
enterprise T1105 Ingress Tool Transfer RATANKBA uploads and downloads information.21
enterprise T1057 Process Discovery RATANKBA lists the system’s processes.21
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection RATANKBA performs a reflective DLL injection using a given pid.21
enterprise T1012 Query Registry RATANKBA uses the command reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings”.1
enterprise T1018 Remote System Discovery RATANKBA runs the net view /domain and net view commands.1
enterprise T1082 System Information Discovery RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.21
enterprise T1016 System Network Configuration Discovery RATANKBA gathers the victim’s IP address via the ipconfig -all command.21
enterprise T1049 System Network Connections Discovery RATANKBA uses netstat -ano to search for specific IP address ranges.1
enterprise T1033 System Owner/User Discovery RATANKBA runs the whoami and query user commands.1
enterprise T1007 System Service Discovery RATANKBA uses tasklist /svc to display running tasks.1
enterprise T1047 Windows Management Instrumentation RATANKBA uses WMI to perform process monitoring.21

Groups That Use This Software

ID Name References
G0032 Lazarus Group 2


Back to top