Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

RARSTONE

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [1]

ID: S0055
Aliases: RARSTONE
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1083File and Directory DiscoveryRARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[2]
EnterpriseT1055Process InjectionAfter decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.[2]
EnterpriseT1105Remote File CopyRARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[1]
EnterpriseT1071Standard Application Layer ProtocolRARSTONE uses SSL to encrypt its communication with its C2 server.[1]

Groups

Groups that use this software:

Naikon

References