RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [1]

ID: S0055
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1083 File and Directory Discovery

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[2]

Enterprise T1105 Ingress Tool Transfer

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[1]

Enterprise T1095 Non-Application Layer Protocol

RARSTONE uses SSL to encrypt its communication with its C2 server.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[2]

Groups That Use This Software

ID Name References
G0019 Naikon