ComRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .015 | 事件触发执行: Component Object Model Hijacking |
ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location |
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
ComRAT has used a task name associated with Windows SQM Consolidator.[3] |
| Enterprise | T1112 | 修改注册表 |
ComRAT has modified Registry values to store encrypted orchestrator code and payloads.[3][4] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[3][4] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[3][4] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[3][4] |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
ComRAT has used HTTP requests for command and control.[2][3][4] |
| .003 | 应用层协议: Mail Protocols |
ComRAT can use email attachments for command and control.[3] |
||
| Enterprise | T1106 | 本机API |
ComRAT can load a PE file from memory or the file system and execute it with |
|
| Enterprise | T1012 | 查询注册表 |
ComRAT can check the default browser by querying |
|
| Enterprise | T1027 | 混淆文件或信息 |
ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[3][4] |
|
| .009 | Embedded Payloads |
ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.[3][4] |
||
| .010 | Command Obfuscation |
ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.[3][4] |
||
| .011 | Fileless Storage |
ComRAT has stored encrypted orchestrator code and payloads in the Registry.[3][4] |
||
| Enterprise | T1124 | 系统时间发现 |
ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[4] |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.[3][4] |
| Enterprise | T1518 | 软件发现 |
ComRAT can check the victim's default browser to determine which process to inject its communications module into.[3] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[3][4] |
| Enterprise | T1564 | .005 | 隐藏伪装: Hidden File System |
ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.[3] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
ComRAT has used a scheduled task to launch its PowerShell loader.[3][4] |
| Enterprise | T1029 | 预定传输 |
ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).[3] |
|