Skip to content

S0629 RainyDay

RainyDay is a backdoor tool that has been used by Naikon since at least 2020.1

Item Value
ID S0629
Associated Names
Version 1.0
Created 29 June 2021
Last Modified 19 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RainyDay can use HTTP in C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RainyDay can use the Windows Command Shell for execution.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service RainyDay can use services to establish persistence.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers RainyDay can use tools to collect credentials from web browsers.1
enterprise T1555.004 Windows Credential Manager RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.1
enterprise T1005 Data from Local System RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information RainyDay can decrypt its payload via a XOR key.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography RainyDay can use RC4 to encrypt C2 communications.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage RainyDay can use a file exfiltration tool to upload specific files to Dropbox.1
enterprise T1008 Fallback Channels RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.1
enterprise T1083 File and Directory Discovery RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading RainyDay can use side-loading to run malicious executables.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion RainyDay has the ability to uninstall itself by deleting its service and files.1
enterprise T1105 Ingress Tool Transfer RainyDay can download files to a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service RainyDay has named services and scheduled tasks to appear benign including “ChromeCheck” and “googleupdate.”1
enterprise T1036.005 Match Legitimate Name or Location RainyDay has used names to mimic legitimate software including “vmtoolsd.exe” to spoof Vmtools.1
enterprise T1106 Native API The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.1
enterprise T1095 Non-Application Layer Protocol RainyDay can use TCP in C2 communications.1
enterprise T1027 Obfuscated Files or Information RainyDay has downloaded as a XOR-encrypted payload.1
enterprise T1057 Process Discovery RainyDay can enumerate processes on a target system.1
enterprise T1090 Proxy RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task RainyDay can use scheduled tasks to achieve persistence.1
enterprise T1113 Screen Capture RainyDay has the ability to capture screenshots.1
enterprise T1007 System Service Discovery RainyDay can create and register a service for execution.1

Groups That Use This Software

ID Name References
G0019 Naikon 1