S0433 Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.1
| Item | Value |
|---|---|
| ID | S0433 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 05 May 2020 |
| Last Modified | 08 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Rifdoor has created a new registry entry at HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Graphics with a value of C:\ProgramData\Initech\Initech.exe /run.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Rifdoor has encrypted command and control (C2) communications with a stream cipher.1 |
| enterprise | T1027 | Obfuscated Files or Information | Rifdoor has encrypted strings with a single byte XOR algorithm.1 |
| enterprise | T1027.001 | Binary Padding | Rifdoor has added four additional bytes of data upon launching, then saved the changed version as C:\ProgramData\Initech\Initech.exe.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Rifdoor has been distributed in e-mails with malicious Excel or Word documents.1 |
| enterprise | T1082 | System Information Discovery | Rifdoor has the ability to identify the Windows version on the compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Rifdoor has the ability to identify the IP address of the compromised host.1 |
| enterprise | T1033 | System Owner/User Discovery | Rifdoor has the ability to identify the username on the compromised host.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Rifdoor has been executed from malicious Excel or Word documents containing macros.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0138 | Andariel | 2 |