Skip to content

S0253 RunningRAT

RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. 1

Item Value
ID S0253
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 21 April 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data RunningRAT contains code to compress files.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RunningRAT adds itself to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to establish persistence upon reboot.1
enterprise T1115 Clipboard Data RunningRAT contains code to open and copy data from the clipboard.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools RunningRAT kills antimalware running process.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs RunningRAT contains code to clear event logs.1
enterprise T1070.004 File Deletion RunningRAT contains code to delete files from the victim’s machine.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging RunningRAT captures keystrokes and sends them back to the C2 server.1
enterprise T1082 System Information Discovery RunningRAT gathers the OS version, logical drives information, processor information, and volume information.1


Back to top