1. Home
  2. Software
  3. RainyDay

RainyDay

RainyDay is a backdoor tool that has been used by Naikon since at least 2020.[1]

ID: S0629
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 June 2021
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

RainyDay can use tools to collect credentials from web browsers.[1]
.004 从密码存储中获取凭证: Windows Credential Manager

RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.[1]
Enterprise T1005 从本地系统获取数据

RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.[1]
Enterprise T1090 代理

RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."[1]
.005 伪装: Match Legitimate Name or Location

RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

RainyDay can use services to establish persistence.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

RainyDay can use RC4 to encrypt C2 communications.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

RainyDay can use side-loading to run malicious executables.[1]
Enterprise T1140 反混淆/解码文件或信息

RainyDay can decrypt its payload via a XOR key.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

RainyDay can use the Windows Command Shell for execution.[1]
Enterprise T1008 回退信道

RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.[1]
Enterprise T1113 屏幕捕获

RainyDay has the ability to capture screenshots.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

RainyDay can use HTTP in C2 communications.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.[1]
Enterprise T1083 文件和目录发现

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.[1]
Enterprise T1106 本机API

The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

RainyDay has downloaded as a XOR-encrypted payload.[1]
Enterprise T1070 .004 移除指标: File Deletion

RainyDay has the ability to uninstall itself by deleting its service and files.[1]
Enterprise T1007 系统服务发现

RainyDay can create and register a service for execution.[1]
Enterprise T1105 输入工具传输

RainyDay can download files to a compromised host.[1]
Enterprise T1057 进程发现

RainyDay can enumerate processes on a target system.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[1]

Enterprise T1095 非应用层协议

RainyDay can use TCP in C2 communications.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

RainyDay can use scheduled tasks to achieve persistence.[1]

Groups That Use This Software

ID Name References
G0019 Naikon

[1]

References

  1. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.