RARSTONE

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [1]

ID: S0055
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1083 File and Directory Discovery

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[2]

Enterprise T1055 Process Injection

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[2]

Enterprise T1105 Remote File Copy

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[1]

Enterprise T1071 Standard Application Layer Protocol

RARSTONE uses SSL to encrypt its communication with its C2 server.[1]

Groups That Use This Software

ID Name References
G0019 Naikon [3] [4]

References