RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]

ID: S0241
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1087Account DiscoveryRATANKBA uses the net user command.[2]
EnterpriseT1059Command-Line InterfaceRATANKBA uses cmd.exe to execute commands.[1][2]
EnterpriseT1043Commonly Used PortRATANKBA uses port 443 for C2.[2]
EnterpriseT1086PowerShellThere is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[1][2]
EnterpriseT1057Process DiscoveryRATANKBA lists the system’s processes.[1][2]
EnterpriseT1055Process InjectionRATANKBA performs a reflective DLL injection using a given pid.[1][2]
EnterpriseT1012Query RegistryRATANKBA uses the command reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings”.[2]
EnterpriseT1105Remote File CopyRATANKBA uploads and downloads information.[1][2]
EnterpriseT1018Remote System DiscoveryRATANKBA runs the net view /domain and net view commands.[2]
EnterpriseT1071Standard Application Layer ProtocolRATANKBA uses HTTP/HTTPS for command and control communication.[1][2]
EnterpriseT1082System Information DiscoveryRATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[1][2]
EnterpriseT1016System Network Configuration DiscoveryRATANKBA gathers the victim’s IP address via the ipconfig -all command.[1][2]
EnterpriseT1049System Network Connections DiscoveryRATANKBA uses netstat -ano to search for specific IP address ranges.[2]
EnterpriseT1033System Owner/User DiscoveryRATANKBA runs the whoami and query user commands.[2]
EnterpriseT1007System Service DiscoveryRATANKBA uses tasklist /svc to display running tasks.[2]
EnterpriseT1047Windows Management InstrumentationRATANKBA uses WMI to perform process monitoring.[1][2]


Groups that use this software:

Lazarus Group