Skip to content

S0246 HARDRAIN

HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. 1

Item Value
ID S0246
Associated Names
Type MALWARE
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HARDRAIN uses cmd.exe to execute netshcommands.1
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation HARDRAIN uses FakeTLS to communicate with its C2 server.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall HARDRAIN opens the Windows Firewall to modify incoming connections.1
enterprise T1571 Non-Standard Port HARDRAIN binds and listens on port 443 with a FakeTLS method.1
enterprise T1090 Proxy HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 “adp” and makes the victim machine function as a proxy server.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1

References