ComRAT

ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla. [1] [2]

ID: S0126
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1122Component Object Model HijackingComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32.[2]
EnterpriseT1071Standard Application Layer ProtocolComRAT has used HTTP requests for command and control.[2]

Groups

Groups that use this software:

Turla

References