Skip to content

S0694 DRATzarus

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.1

Item Value
ID S0694
Associated Names
Type MALWARE
Version 1.1
Created 24 March 2022
Last Modified 17 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DRATzarus can use HTTP or HTTPS for C2 communications.1
enterprise T1005 Data from Local System DRATzarus can collect information from a compromised host.1
enterprise T1622 Debugger Evasion DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.1
enterprise T1105 Ingress Tool Transfer DRATzarus can deploy additional tools onto an infected machine.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.1
enterprise T1106 Native API DRATzarus can use various API calls to see if it is running in a sandbox.1
enterprise T1027 Obfuscated Files or Information DRATzarus can be partly encrypted with XOR.1
enterprise T1027.002 Software Packing DRATzarus‘s dropper can be packed with UPX.1
enterprise T1057 Process Discovery DRATzarus can enumerate and examine running processes to determine if a debugger is present.1
enterprise T1018 Remote System Discovery DRATzarus can search for other machines connected to compromised host and attempt to map the network.1
enterprise T1033 System Owner/User Discovery DRATzarus can obtain a list of users from an infected machine.1
enterprise T1124 System Time Discovery DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to inspect system time.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to measure function timing.1 DRATzarus can also remotely shut down into sleep mode under specific conditions to evade
detection.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1423

References