Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1083 | File and Directory Discovery |
RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[2] |
|
Enterprise | T1105 | Ingress Tool Transfer |
RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[1] |
|
Enterprise | T1095 | Non-Application Layer Protocol |
RARSTONE uses SSL to encrypt its communication with its C2 server.[1] |
|
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[2] |