Skip to content

S1028 Action RAT

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.1

Item Value
ID S1028
Associated Names
Version 1.0
Created 07 August 2022
Last Modified 24 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Action RAT can use HTTP to communicate with C2 servers.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Action RAT can use cmd.exe to execute commands on an infected host.1
enterprise T1005 Data from Local System Action RAT can collect local data from an infected machine.1
enterprise T1140 Deobfuscate/Decode Files or Information Action RAT can use Base64 to decode actor-controlled C2 server communications.1
enterprise T1083 File and Directory Discovery Action RAT has the ability to collect drive and file information on an infected machine.1
enterprise T1105 Ingress Tool Transfer Action RAT has the ability to download additional payloads onto an infected machine.1
enterprise T1027 Obfuscated Files or Information Action RAT‘s commands, strings, and domains can be Base64 encoded within the payload.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Action RAT can identify AV products on an infected host using the following command: cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List.1
enterprise T1082 System Information Discovery Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.1
enterprise T1016 System Network Configuration Discovery Action RAT has the ability to collect the MAC address of an infected host.1
enterprise T1033 System Owner/User Discovery Action RAT has the ability to collect the username from an infected host.1
enterprise T1047 Windows Management Instrumentation Action RAT can use WMI to gather AV products installed on an infected host.1

Groups That Use This Software

ID Name References
G1008 SideCopy -