1. Home
  2. Software
  3. SombRAT

SombRAT

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[1][2][3]

ID: S0615
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 26 May 2021
Last Modified: 05 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

SombRAT has collected data and files from a compromised host.[1][3]
Enterprise T1090 代理

SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.[3]
Enterprise T1036 伪装

SombRAT can use a legitimate process name to hide itself.[3]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

SombRAT has encrypted its C2 communications with AES.[1]
.002 加密通道: Asymmetric Cryptography

SombRAT can SSL encrypt C2 traffic.[1][2][3]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

SombRAT can use a custom DGA to generate a subdomain for C2.[1]
Enterprise T1140 反混淆/解码文件或信息

SombRAT can run upload to decrypt and upload files from storage.[1][3]
Enterprise T1071 .004 应用层协议: DNS

SombRAT can communicate over DNS with the C2 server.[1][2]
Enterprise T1560 .003 归档收集数据: Archive via Custom Method

SombRAT has encrypted collected data with AES-256 using a hardcoded key.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

SombRAT can store harvested data in a custom database under the %TEMP% directory.[1]
Enterprise T1083 文件和目录发现

SombRAT can execute enum to enumerate files in storage on a compromised system.[1]
Enterprise T1106 本机API

SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.[1]
Enterprise T1027 混淆文件或信息

SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[1][2][3]
Enterprise T1070 .004 移除指标: File Deletion

SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.[1]
Enterprise T1082 系统信息发现

SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.[1]
Enterprise T1033 系统所有者/用户发现

SombRAT can execute getinfo to identify the username on a compromised host.[1][3]
Enterprise T1124 系统时间发现

SombRAT can execute getinfo to discover the current time on a compromised host.[1][3]
Enterprise T1007 系统服务发现

SombRAT can enumerate services on a victim machine.[1]
Enterprise T1105 输入工具传输

SombRAT has the ability to download and execute additional payloads.[1][2][3]
Enterprise T1057 进程发现

SombRAT can use the getprocesslist command to enumerate processes on a compromised host.[1][2][3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.[1]
Enterprise T1041 通过C2信道渗出

SombRAT has uploaded collected data and files from a compromised host to its C2 server.[1]
Enterprise T1564 .010 隐藏伪装: Process Argument Spoofing

SombRAT has the ability to modify its process memory to hide process command-line arguments.[2]
Enterprise T1095 非应用层协议

SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.[1][2]

Campaigns

ID Name Description
C0004 CostaRicto

During CostaRicto, threat actors used SombRAT in conjuction with CostaBricks and PowerSploit.[1]

References

  1. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  2. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  1. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.