S0253 RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. 1
| Item | Value |
|---|---|
| ID | S0253 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 21 April 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | RunningRAT contains code to compress files.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RunningRAT adds itself to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to establish persistence upon reboot.1 |
| enterprise | T1115 | Clipboard Data | RunningRAT contains code to open and copy data from the clipboard.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | RunningRAT kills antimalware running process.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | RunningRAT contains code to clear event logs.1 |
| enterprise | T1070.004 | File Deletion | RunningRAT contains code to delete files from the victim’s machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | RunningRAT captures keystrokes and sends them back to the C2 server.1 |
| enterprise | T1082 | System Information Discovery | RunningRAT gathers the OS version, logical drives information, processor information, and volume information.1 |