Skip to content

S0495 RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.1

Item Value
ID S0495
Associated Names
Version 1.0
Created 28 July 2020
Last Modified 15 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.1
enterprise T1071.003 Mail Protocols RDAT can use email attachments for C2 communications.1
enterprise T1071.004 DNS RDAT has used DNS to communicate with the C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RDAT has executed commands using cmd.exe /c.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service RDAT has created a service when it is installed on the victim machine.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding RDAT can communicate with the C2 via base32-encoded subdomains.1
enterprise T1132.002 Non-Standard Encoding RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.1
enterprise T1001 Data Obfuscation RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.1
enterprise T1001.002 Steganography RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.1
enterprise T1030 Data Transfer Size Limits RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.1
enterprise T1140 Deobfuscate/Decode Files or Information RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography RDAT has used AES ciphertext to encode C2 communications.1
enterprise T1041 Exfiltration Over C2 Channel RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.1
enterprise T1008 Fallback Channels RDAT has used HTTP if DNS C2 communications were not functioning.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.1
enterprise T1105 Ingress Tool Transfer RDAT can download files via DNS.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service RDAT has used Windows Video Service as a name for malicious services.1
enterprise T1036.005 Match Legitimate Name or Location RDAT has masqueraded as VMware.exe.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography RDAT can also embed data within a BMP image prior to exfiltration.1
enterprise T1113 Screen Capture RDAT can take a screenshot on the infected system.1

Groups That Use This Software

ID Name References
G0049 OilRig 1