1. Home
  2. Software
  3. HARDRAIN

HARDRAIN

HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [1]

ID: S0246
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 25 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HARDRAIN uses cmd.exe to execute netshcommands.[1]
Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

HARDRAIN uses FakeTLS to communicate with its C2 server.[2]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

HARDRAIN opens the Windows Firewall to modify incoming connections.[1]
Enterprise T1571 Non-Standard Port

HARDRAIN binds and listens on port 443 with a FakeTLS method.[1]
Enterprise T1090 Proxy

HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 "adp" and makes the victim machine function as a proxy server.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  1. US-CERT. (2018, February 5). Malware Analysis Report (MAR) - 10135536-F. Retrieved August 15, 2024.