DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
DRATzarus can collect information from a compromised host.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
DRATzarus has been named |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1106 | 本机API |
DRATzarus can use various API calls to see if it is running in a sandbox.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 | ||
| .002 | Software Packing | |||
| Enterprise | T1033 | 系统所有者/用户发现 |
DRATzarus can obtain a list of users from an infected machine.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
DRATzarus can use the |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
DRATzarus can use the |
| Enterprise | T1622 | 调试器规避 |
DRATzarus can use |
|
| Enterprise | T1105 | 输入工具传输 |
DRATzarus can deploy additional tools onto an infected machine.[1] |
|
| Enterprise | T1057 | 进程发现 |
DRATzarus can enumerate and examine running processes to determine if a debugger is present.[1] |
|
| Enterprise | T1018 | 远程系统发现 |
DRATzarus can search for other machines connected to compromised host and attempt to map the network.[1] |
|
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.[1] |