InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

ID: S0259
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 20 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

InnaputRAT launches a shell to execute commands on the victim’s machine.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Some InnaputRAT variants create a new Windows service to establish persistence.[1]

Enterprise T1083 File and Directory Discovery

InnaputRAT enumerates directories and obtains file attributes on a system.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

InnaputRAT has a command to delete files.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.[1]

.005 Masquerading: Match Legitimate Name or Location

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[1]

Enterprise T1106 Native API

InnaputRAT uses the API call ShellExecuteW for execution.[1]

Enterprise T1027 Obfuscated Files or Information

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[1]

Enterprise T1082 System Information Discovery

InnaputRAT gathers volume drive information and system information.[1]