4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007. ^[1]

ID: S0065

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	4H RAT has the capability to create a remote shell.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	4H RAT uses HTTP for command and control.^[1]
Enterprise	T1083		文件和目录发现	4H RAT has the capability to obtain file and directory listings.^[1]
Enterprise	T1082		系统信息发现	4H RAT sends an OS version identifier in its beacons.^[1]
Enterprise	T1057		进程发现	4H RAT has the capability to obtain a listing of running processes (including loaded modules).^[1]

Groups That Use This Software

ID	Name	References
G0024	Putter Panda	^[1]

References

Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.