Skip to content

S0433 Rifdoor

Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.1

Item Value
ID S0433
Associated Names
Version 1.0
Created 05 May 2020
Last Modified 08 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Rifdoor has created a new registry entry at HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Graphics with a value of C:\ProgramData\Initech\Initech.exe /run.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Rifdoor has encrypted command and control (C2) communications with a stream cipher.1
enterprise T1027 Obfuscated Files or Information Rifdoor has encrypted strings with a single byte XOR algorithm.1
enterprise T1027.001 Binary Padding Rifdoor has added four additional bytes of data upon launching, then saved the changed version as C:\ProgramData\Initech\Initech.exe.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Rifdoor has been distributed in e-mails with malicious Excel or Word documents.1
enterprise T1082 System Information Discovery Rifdoor has the ability to identify the Windows version on the compromised host.1
enterprise T1016 System Network Configuration Discovery Rifdoor has the ability to identify the IP address of the compromised host.1
enterprise T1033 System Owner/User Discovery Rifdoor has the ability to identify the username on the compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Rifdoor has been executed from malicious Excel or Word documents containing macros.1

Groups That Use This Software

ID Name References
G0138 Andariel 2