InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [1]

ID: S0259
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceInnaputRAT launches a shell to execute commands on the victim’s machine.[1]
EnterpriseT1106Execution through APIInnaputRAT uses the API call ShellExecuteW for execution.[1]
EnterpriseT1083File and Directory DiscoveryInnaputRAT enumerates directories and obtains file attributes on a system.[1]
EnterpriseT1107File DeletionInnaputRAT has a command to delete files.[1]
EnterpriseT1036MasqueradingInnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService.[1]
EnterpriseT1050New ServiceSome InnaputRAT variants create a new Windows service to establish persistence.[1]
EnterpriseT1027Obfuscated Files or InformationInnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[1]
EnterpriseT1060Registry Run Keys / Startup FolderSome InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe.[1]
EnterpriseT1082System Information DiscoveryInnaputRAT gathers volume drive information and system information.[1]
EnterpriseT1065Uncommonly Used PortInnaputRAT uses port 52100 and 5876 for C2 communications.[1]