S0615 SombRAT
SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.321
| Item | Value |
|---|---|
| ID | S0615 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 26 May 2021 |
| Last Modified | 05 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | SombRAT can communicate over DNS with the C2 server.32 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | SombRAT has encrypted collected data with AES-256 using a hardcoded key.3 |
| enterprise | T1005 | Data from Local System | SombRAT has collected data and files from a compromised host.31 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SombRAT can store harvested data in a custom database under the %TEMP% directory.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SombRAT can run upload to decrypt and upload files from storage.31 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | SombRAT can use a custom DGA to generate a subdomain for C2.3 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | SombRAT has encrypted its C2 communications with AES.3 |
| enterprise | T1573.002 | Asymmetric Cryptography | SombRAT can SSL encrypt C2 traffic.321 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SombRAT has uploaded collected data and files from a compromised host to its C2 server.3 |
| enterprise | T1083 | File and Directory Discovery | SombRAT can execute enum to enumerate files in storage on a compromised system.3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.010 | Process Argument Spoofing | SombRAT has the ability to modify its process memory to hide process command-line arguments.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.3 |
| enterprise | T1105 | Ingress Tool Transfer | SombRAT has the ability to download and execute additional payloads.321 |
| enterprise | T1036 | Masquerading | SombRAT can use a legitimate process name to hide itself.1 |
| enterprise | T1106 | Native API | SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.3 |
| enterprise | T1095 | Non-Application Layer Protocol | SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.32 |
| enterprise | T1027 | Obfuscated Files or Information | SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.321 |
| enterprise | T1057 | Process Discovery | SombRAT can use the getprocesslist command to enumerate processes on a compromised host.321 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.3 |
| enterprise | T1090 | Proxy | SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.1 |
| enterprise | T1082 | System Information Discovery | SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.3 |
| enterprise | T1033 | System Owner/User Discovery | SombRAT can execute getinfo to identify the username on a compromised host.31 |
| enterprise | T1007 | System Service Discovery | SombRAT can enumerate services on a victim machine.3 |
| enterprise | T1124 | System Time Discovery | SombRAT can execute getinfo to discover the current time on a compromised host.31 |
References
-
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. ↩↩↩↩↩↩↩↩↩↩↩
-
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. ↩↩↩↩↩↩↩↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩