Skip to content

S0652 MarkiRAT

MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.1

Item Value
ID S0652
Associated Names
Version 1.0
Created 28 September 2021
Last Modified 25 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.1
enterprise T1197 BITS Jobs MarkiRAT can use BITS Utility to connect with the C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.1
enterprise T1547.009 Shortcut Modification MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.1
enterprise T1115 Clipboard Data MarkiRAT can capture clipboard content.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MarkiRAT can utilize cmd.exe to execute commands in a victim’s environment.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers MarkiRAT can gather information from the Keepass password manager.1
enterprise T1005 Data from Local System MarkiRAT can upload data from the victim’s machine to the C2 server.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging MarkiRAT can store collected data locally in a created .nfo file.1
enterprise T1041 Exfiltration Over C2 Channel MarkiRAT can exfiltrate locally stored data via its C2.1
enterprise T1083 File and Directory Discovery MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.1
enterprise T1105 Ingress Tool Transfer MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging MarkiRAT can capture all keystrokes on a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.1
enterprise T1106 Native API MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.1
enterprise T1057 Process Discovery MarkiRAT can search for different processes on a system.1
enterprise T1113 Screen Capture MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.1
enterprise T1518 Software Discovery MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.1
enterprise T1518.001 Security Software Discovery MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.1
enterprise T1082 System Information Discovery MarkiRAT can obtain the computer name from a compromised host.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery MarkiRAT can use the GetKeyboardLayout API to check if a compromised host’s keyboard is set to Persian.1
enterprise T1033 System Owner/User Discovery MarkiRAT can retrieve the victim’s username.1

Groups That Use This Software

ID Name References
G0137 Ferocious Kitten 1