| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Cardinal RAT is downloaded using HTTP over port 443. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.002 |
Archive via Library |
Cardinal RAT applies compression to C2 traffic using the ZLIB library. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Cardinal RAT can execute commands. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic. |
| enterprise |
T1008 |
Fallback Channels |
Cardinal RAT can communicate over multiple C2 host and port combinations. |
| enterprise |
T1083 |
File and Directory Discovery |
Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload). |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Cardinal RAT can uninstall itself, including deleting its executable. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Cardinal RAT can download and execute additional payloads. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Cardinal RAT can log keystrokes. |
| enterprise |
T1112 |
Modify Registry |
Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded. |
| enterprise |
T1027.004 |
Compile After Delivery |
Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code. |
| enterprise |
T1057 |
Process Discovery |
Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance. |
| enterprise |
T1055 |
Process Injection |
Cardinal RAT injects into a newly spawned process created from a native Windows executable. |
| enterprise |
T1090 |
Proxy |
Cardinal RAT can act as a reverse proxy. |
| enterprise |
T1012 |
Query Registry |
Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable. |
| enterprise |
T1113 |
Screen Capture |
Cardinal RAT can capture screenshots. |
| enterprise |
T1082 |
System Information Discovery |
Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine. |
| enterprise |
T1033 |
System Owner/User Discovery |
Cardinal RAT can collect the username from a victim machine. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents. |