ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[1][2][3]

ID: S0126
Platforms: Windows
Contributors: Matthieu Faou, ESET
Version: 1.4
Created: 31 May 2017
Last Modified: 22 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ComRAT has used HTTP requests for command and control.[2][3][4]

.003 Application Layer Protocol: Mail Protocols

ComRAT can use email attachments for command and control.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[3][4]

.003 Command and Scripting Interpreter: Windows Command Shell

ComRAT has used cmd.exe to execute commands.[3]

Enterprise T1140 Deobfuscate/Decode Files or Information

ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[3][4]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

ComRAT can use SSL/TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.[3][4]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32.[2]

Enterprise T1564 .005 Hide Artifacts: Hidden File System

ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.[3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

ComRAT has used a task name associated with Windows SQM Consolidator.[3]

Enterprise T1112 Modify Registry

ComRAT has modified Registry values to store encrypted orchestrator code and payloads.[3][4]

Enterprise T1106 Native API

ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.[3]

Enterprise T1027 Obfuscated Files or Information

ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[3][4]

.009 Embedded Payloads

ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.[3][4]

.010 Command Obfuscation

ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.[3][4]

.011 Fileless Storage

ComRAT has stored encrypted orchestrator code and payloads in the Registry.[3][4]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[3][4]

Enterprise T1012 Query Registry

ComRAT can check the default browser by querying HKCR\http\shell\open\command.[3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

ComRAT has used a scheduled task to launch its PowerShell loader.[3][4]

Enterprise T1029 Scheduled Transfer

ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).[3]

Enterprise T1518 Software Discovery

ComRAT can check the victim's default browser to determine which process to inject its communications module into.[3]

Enterprise T1124 System Time Discovery

ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[4]

Enterprise T1102 .002 Web Service: Bidirectional Communication

ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.[3][4]

Groups That Use This Software

ID Name References
G0010 Turla