RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account | |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RATANKBA uses HTTP/HTTPS for command and control communication.[1][2] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[1][2] |
| .003 | Command and Scripting Interpreter: Windows Command Shell | |||
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
RATANKBA performs a reflective DLL injection using a given pid.[1][2] |
| Enterprise | T1012 | Query Registry |
RATANKBA uses the command |
|
| Enterprise | T1018 | Remote System Discovery |
RATANKBA runs the |
|
| Enterprise | T1082 | System Information Discovery |
RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[1][2] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
RATANKBA gathers the victim’s IP address via the |
|
| Enterprise | T1049 | System Network Connections Discovery |
RATANKBA uses |
|
| Enterprise | T1033 | System Owner/User Discovery | ||
| Enterprise | T1007 | System Service Discovery | ||
| Enterprise | T1047 | Windows Management Instrumentation | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |