Skip to content

S0615 SombRAT

SombRAT is a modular backdoor written in C++ that has been in use since at least 2019. SombRAT has been used to download and execute malicious payloads, including FIVEHANDS ransomware.123

Item Value
ID S0615
Associated Names
Type MALWARE
Version 1.1
Created 26 May 2021
Last Modified 19 November 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS SombRAT can communicate over DNS with the C2 server.12
enterprise T1005 Data from Local System SombRAT has collected data and files from a compromised host.13
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging SombRAT can store harvested data in a custom database under the %TEMP% directory.1
enterprise T1140 Deobfuscate/Decode Files or Information SombRAT can run upload to decrypt and upload files from storage.13
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms SombRAT can use a custom DGA to generate a subdomain for C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography SombRAT can SSL encrypt C2 traffic.123
enterprise T1083 File and Directory Discovery SombRAT can execute enum to enumerate files in storage on a compromised system.1
enterprise T1564 Hide Artifacts -
enterprise T1564.010 Process Argument Spoofing SombRAT has the ability to modify its process memory to hide process command-line arguments.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.1
enterprise T1105 Ingress Tool Transfer SombRAT has the ability to download and execute additional payloads.123
enterprise T1036 Masquerading SombRAT can use a legitimate process name to hide itself.3
enterprise T1106 Native API SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.1
enterprise T1095 Non-Application Layer Protocol SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.12
enterprise T1027 Obfuscated Files or Information SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.123
enterprise T1057 Process Discovery SombRAT can use the getprocesslist command to enumerate processes on a compromised host.123
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.1
enterprise T1090 Proxy SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.3
enterprise T1082 System Information Discovery SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.1
enterprise T1033 System Owner/User Discovery SombRAT can execute getinfo to identify the username on a compromised host.13
enterprise T1007 System Service Discovery SombRAT can enumerate services on a victim machine.1
enterprise T1124 System Time Discovery SombRAT can execute getinfo to discover the current time on a compromised host.13

Groups That Use This Software

ID Name References
G0132 CostaRicto 1

References

  1. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  2. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  3. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

Back to top