S1028 Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.1
| Item | Value |
|---|---|
| ID | S1028 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 August 2022 |
| Last Modified | 24 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Action RAT can use HTTP to communicate with C2 servers.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Action RAT can use cmd.exe to execute commands on an infected host.1 |
| enterprise | T1005 | Data from Local System | Action RAT can collect local data from an infected machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Action RAT can use Base64 to decode actor-controlled C2 server communications.1 |
| enterprise | T1083 | File and Directory Discovery | Action RAT has the ability to collect drive and file information on an infected machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | Action RAT has the ability to download additional payloads onto an infected machine.1 |
| enterprise | T1027 | Obfuscated Files or Information | Action RAT‘s commands, strings, and domains can be Base64 encoded within the payload.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Action RAT can identify AV products on an infected host using the following command: cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List.1 |
| enterprise | T1082 | System Information Discovery | Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Action RAT has the ability to collect the MAC address of an infected host.1 |
| enterprise | T1033 | System Owner/User Discovery | Action RAT has the ability to collect the username from an infected host.1 |
| enterprise | T1047 | Windows Management Instrumentation | Action RAT can use WMI to gather AV products installed on an infected host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1008 | SideCopy | - |