| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API. |
| enterprise |
T1071.003 |
Mail Protocols |
RDAT can use email attachments for C2 communications. |
| enterprise |
T1071.004 |
DNS |
RDAT has used DNS to communicate with the C2. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
RDAT has executed commands using cmd.exe /c. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
RDAT has created a service when it is installed on the victim machine. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
RDAT can communicate with the C2 via base32-encoded subdomains. |
| enterprise |
T1132.002 |
Non-Standard Encoding |
RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions. |
| enterprise |
T1001 |
Data Obfuscation |
RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2. |
| enterprise |
T1001.002 |
Steganography |
RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator. |
| enterprise |
T1030 |
Data Transfer Size Limits |
RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
RDAT has used AES ciphertext to encode C2 communications. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel. |
| enterprise |
T1008 |
Fallback Channels |
RDAT has used HTTP if DNS C2 communications were not functioning. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system. |
| enterprise |
T1105 |
Ingress Tool Transfer |
RDAT can download files via DNS. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
RDAT has used Windows Video Service as a name for malicious services. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
RDAT has masqueraded as VMware.exe. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.003 |
Steganography |
RDAT can also embed data within a BMP image prior to exfiltration. |
| enterprise |
T1113 |
Screen Capture |
RDAT can take a screenshot on the infected system. |