3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [1]

ID: S0066
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol

3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails.[1]

Enterprise T1083 File and Directory Discovery

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[1]

Enterprise T1108 Redundant Access

3PARA RAT will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.[1]

Enterprise T1071 Standard Application Layer Protocol

3PARA RAT uses HTTP for command and control.[1]

Enterprise T1032 Standard Cryptographic Protocol

3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS.[1]

Enterprise T1099 Timestomp

3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.[1]

Groups That Use This Software

ID Name References
G0024 Putter Panda [1]

References