RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [1]

ID: S0253
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1115Clipboard DataRunningRAT contains code to open and copy data from the clipboard.[1]
EnterpriseT1002Data CompressedRunningRAT contains code to compress files.[1]
EnterpriseT1089Disabling Security ToolsRunningRAT kills antimalware running process.[1]
EnterpriseT1107File DeletionRunningRAT contains code to delete files from the victim’s machine.[1]
EnterpriseT1070Indicator Removal on HostRunningRAT contains code to clear event logs.[1]
EnterpriseT1056Input CaptureRunningRAT captures keystrokes and sends them back to the C2 server.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRunningRAT adds itself to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to establish persistence upon reboot.[1]
EnterpriseT1064ScriptingRunningRAT uses a batch file to kill a security program task and then attempts to remove itself.[1]
EnterpriseT1082System Information DiscoveryRunningRAT gathers the OS version, logical drives information, processor information, and volume information.[1]