RATANKBA

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]

ID: S0241
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

RATANKBA uses the net user command.[2]

Enterprise T1059 Command-Line Interface

RATANKBA uses cmd.exe to execute commands.[1][2]

Enterprise T1043 Commonly Used Port

RATANKBA uses port 443 for C2.[2]

Enterprise T1086 PowerShell

There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[1][2]

Enterprise T1057 Process Discovery

RATANKBA lists the system’s processes.[1][2]

Enterprise T1055 Process Injection

RATANKBA performs a reflective DLL injection using a given pid.[1][2]

Enterprise T1012 Query Registry

RATANKBA uses the command reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings".[2]

Enterprise T1105 Remote File Copy

RATANKBA uploads and downloads information.[1][2]

Enterprise T1018 Remote System Discovery

RATANKBA runs the net view /domain and net view commands.[2]

Enterprise T1071 Standard Application Layer Protocol

RATANKBA uses HTTP/HTTPS for command and control communication.[1][2]

Enterprise T1082 System Information Discovery

RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[1][2]

Enterprise T1016 System Network Configuration Discovery

RATANKBA gathers the victim’s IP address via the ipconfig -all command.[1][2]

Enterprise T1049 System Network Connections Discovery

RATANKBA uses netstat -ano to search for specific IP address ranges.[2]

Enterprise T1033 System Owner/User Discovery

RATANKBA runs the whoami and query user commands.[2]

Enterprise T1007 System Service Discovery

RATANKBA uses tasklist /svc to display running tasks.[2]

Enterprise T1047 Windows Management Instrumentation

RATANKBA uses WMI to perform process monitoring.[1][2]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]

References