S0246 HARDRAIN
HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. 1
| Item | Value |
|---|---|
| ID | S0246 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | HARDRAIN uses cmd.exe to execute netshcommands.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol Impersonation | HARDRAIN uses FakeTLS to communicate with its C2 server.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | HARDRAIN opens the Windows Firewall to modify incoming connections.1 |
| enterprise | T1571 | Non-Standard Port | HARDRAIN binds and listens on port 443 with a FakeTLS method.1 |
| enterprise | T1090 | Proxy | HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 “adp” and makes the victim machine function as a proxy server.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |