SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent Tesla Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy Astaroth at AuditCred AutoIt backdoor Azorult Backdoor.Oldrea BACKSPACE BADCALL BADNEWS BadPatch Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BONDUPDATER BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Cannon Carbanak Carbon Cardinal RAT Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Cobian RAT CoinTicker Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT DarkComet Daserf DDKONG DealersChoice Dendroid Denis Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode Dridex DroidJack dsquery DualToy Duqu DustySky Dyre Ebury Elise ELMER Emissary Emotet Empire Epic EvilBunny EvilGrab Exaramel Expand FakeM FALLCHILL Felismus FELIXROOT Fgdump Final1stspy FinFisher Flame FLASHFLOOD FlawedAmmyy FlawedGrace FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st RAT GLOOXMAIL Gold Dragon Gooligan GravityRAT GreyEnergy gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij HAWKBALL hcdLoader HDoor Helminth Hi-Zor HiddenWasp HIDEDRV Hikit HOMEFRY HOPLIGHT HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq HyperBro ifconfig iKitten Impacket InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JCry JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar KeyBoy Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO KONNI Kwampirs LaZagne LightNeuron Linfo Linux Rabbit LockerGoga LoJax LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Micropsia Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NanoCore NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran njRAT Nltest NOKKI NotCompatible NotPetya OBAD OceanSalt Octopus OLDBAIT OldBoot Olympic Destroyer OnionDuke OopsIE Orz OSInfo OSX_OCEANLOTUS.D OwaAuth P2P ZeuS Pallas Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM PoshC2 POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit PowerStallion POWERSTATS POWERTON POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawDisk RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin Remcos Remexi RemoteCMD Remsec Responder Revenge RAT RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM Ruler RuMMS RunningRAT S-Type Sakula SamSam schtasks SDelete SeaDuke Seasalt SEASHARPEE ServHelper Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP SpeakUp spwebmember SpyDealer SpyNote RAT sqlmap SQLRat SslMM Starloader Stealth Mango StoneDrill StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe UBoatRAT Umbreon Unknown Logger UPPERCUT Uroburos Ursnif USBStealer Vasport VERMIN Volgmer WannaCry WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbash Xbot xCmd XcodeGhost XLoader XTunnel Yahoyah YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT Zeus Panda ZLib zwShell
  1. Home
  2. Software
  3. Cardinal RAT

Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]

ID: S0348
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Cardinal RAT can execute commands.[1]
Enterprise T1043 Commonly Used Port Cardinal RAT is downloaded using HTTP over port 443.[1]
Enterprise T1500 Compile After Delivery Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[1]
Enterprise T1090 Connection Proxy Cardinal RAT can act as a reverse proxy.[1]
Enterprise T1024 Custom Cryptographic Protocol Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[1]
Enterprise T1002 Data Compressed Cardinal RAT applies compression to C2 traffic using the ZLIB library.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[1]
Enterprise T1008 Fallback Channels Cardinal RAT can communicate over multiple C2 host and port combinations.[1]
Enterprise T1083 File and Directory Discovery Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[1]
Enterprise T1107 File Deletion Cardinal RAT can uninstall itself, including deleting its executable.[1]
Enterprise T1056 Input Capture Cardinal RAT can log keystrokes.[1]
Enterprise T1112 Modify Registry Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.[1]
Enterprise T1027 Obfuscated Files or Information Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded. [1]
Enterprise T1057 Process Discovery Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[1]
Enterprise T1055 Process Injection Cardinal RAT injects into a newly spawned process created from a native Windows executable.[1]
Enterprise T1012 Query Registry Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.[1]
Enterprise T1105 Remote File Copy Cardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads.[1]
Enterprise T1113 Screen Capture Cardinal RAT can capture screenshots.[1]
Enterprise T1071 Standard Application Layer Protocol Cardinal RAT is downloaded using HTTP over port 443.[1]
Enterprise T1082 System Information Discovery Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[1]
Enterprise T1033 System Owner/User Discovery Cardinal RAT can collect the username from a victim machine.[1]
Enterprise T1204 User Execution Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[1]

References

  1. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.