MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [1]

ID: S0149
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceMoonWind can execute commands via an interactive command shell.[1]
EnterpriseT1043Commonly Used PortMoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.[1]
EnterpriseT1094Custom Command and Control ProtocolMoonWind completes network communication via raw sockets.[1]
EnterpriseT1074Data StagedMoonWind saves information from its keylogging routine as a .zip file in the present working directory.[1]
EnterpriseT1083File and Directory DiscoveryMoonWind has a command to return a directory listing for a specified directory.[1]
EnterpriseT1107File DeletionMoonWind can delete itself or specified files.[1]
EnterpriseT1056Input CaptureMoonWind has a keylogger.[1]
EnterpriseT1050New ServiceMoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.[1]
EnterpriseT1120Peripheral Device DiscoveryMoonWind obtains the number of removable drives from the victim.[1]
EnterpriseT1057Process DiscoveryMoonWind has a command to return a list of running processes.[1]
EnterpriseT1064ScriptingMoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[1]
EnterpriseT1032Standard Cryptographic ProtocolMoonWind encrypts C2 traffic using RC4 with a static key.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolMoonWind completes network communication via raw sockets.[1]
EnterpriseT1082System Information DiscoveryMoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.[1]
EnterpriseT1016System Network Configuration DiscoveryMoonWind obtains the victim IP address.[1]
EnterpriseT1033System Owner/User DiscoveryMoonWind obtains the victim username.[1]
EnterpriseT1124System Time DiscoveryMoonWind obtains the victim's current time.[1]