Skip to content

S0348 Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.1

Item Value
ID S0348
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Cardinal RAT is downloaded using HTTP over port 443.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library Cardinal RAT applies compression to C2 traffic using the ZLIB library.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Cardinal RAT can execute commands.1
enterprise T1140 Deobfuscate/Decode Files or Information Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.1
enterprise T1008 Fallback Channels Cardinal RAT can communicate over multiple C2 host and port combinations.1
enterprise T1083 File and Directory Discovery Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Cardinal RAT can uninstall itself, including deleting its executable.1
enterprise T1105 Ingress Tool Transfer Cardinal RAT can download and execute additional payloads.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Cardinal RAT can log keystrokes.1
enterprise T1112 Modify Registry Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.1
enterprise T1027 Obfuscated Files or Information Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.1
enterprise T1027.004 Compile After Delivery Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.1
enterprise T1057 Process Discovery Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.1
enterprise T1055 Process Injection Cardinal RAT injects into a newly spawned process created from a native Windows executable.1
enterprise T1090 Proxy Cardinal RAT can act as a reverse proxy.1
enterprise T1012 Query Registry Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.1
enterprise T1113 Screen Capture Cardinal RAT can capture screenshots.1
enterprise T1082 System Information Discovery Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.1
enterprise T1033 System Owner/User Discovery Cardinal RAT can collect the username from a victim machine.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.1