Register to stream ATT&CKcon 2.0 October 29-30


MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [1]

ID: S0149
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface MoonWind can execute commands via an interactive command shell. [1]
Enterprise T1043 Commonly Used Port MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports. [1]
Enterprise T1094 Custom Command and Control Protocol MoonWind completes network communication via raw sockets. [1]
Enterprise T1074 Data Staged MoonWind saves information from its keylogging routine as a .zip file in the present working directory. [1]
Enterprise T1083 File and Directory Discovery MoonWind has a command to return a directory listing for a specified directory. [1]
Enterprise T1107 File Deletion MoonWind can delete itself or specified files. [1]
Enterprise T1056 Input Capture MoonWind has a keylogger. [1]
Enterprise T1050 New Service MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance. [1]
Enterprise T1120 Peripheral Device Discovery MoonWind obtains the number of removable drives from the victim. [1]
Enterprise T1057 Process Discovery MoonWind has a command to return a list of running processes. [1]
Enterprise T1064 Scripting MoonWind uses batch scripts for various purposes, including to restart and uninstall itself. [1]
Enterprise T1032 Standard Cryptographic Protocol MoonWind encrypts C2 traffic using RC4 with a static key. [1]
Enterprise T1095 Standard Non-Application Layer Protocol MoonWind completes network communication via raw sockets. [1]
Enterprise T1082 System Information Discovery MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution. [1]
Enterprise T1016 System Network Configuration Discovery MoonWind obtains the victim IP address. [1]
Enterprise T1033 System Owner/User Discovery MoonWind obtains the victim username. [1]
Enterprise T1124 System Time Discovery MoonWind obtains the victim's current time. [1]