Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]

ID: S0348
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceCardinal RAT can execute commands.[1]
EnterpriseT1043Commonly Used PortCardinal RAT is downloaded using HTTP over port 443.[1]
EnterpriseT1500Compile After DeliveryCardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[1]
EnterpriseT1090Connection ProxyCardinal RAT can act as a reverse proxy.[1]
EnterpriseT1024Custom Cryptographic ProtocolCardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[1]
EnterpriseT1002Data CompressedCardinal RAT applies compression to C2 traffic using the ZLIB library.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationCardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[1]
EnterpriseT1008Fallback ChannelsCardinal RAT can communicate over multiple C2 host and port combinations.[1]
EnterpriseT1083File and Directory DiscoveryCardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[1]
EnterpriseT1107File DeletionCardinal RAT can uninstall itself, including deleting its executable.[1]
EnterpriseT1056Input CaptureCardinal RAT can log keystrokes.[1]
EnterpriseT1112Modify RegistryCardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.[1]
EnterpriseT1027Obfuscated Files or InformationCardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded. [1]
EnterpriseT1057Process DiscoveryCardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[1]
EnterpriseT1055Process InjectionCardinal RAT injects into a newly spawned process created from a native Windows executable.[1]
EnterpriseT1012Query RegistryCardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[1]
EnterpriseT1060Registry Run Keys / Startup FolderCardinal RAT} establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.[1]
EnterpriseT1105Remote File CopyCardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads.[1]
EnterpriseT1113Screen CaptureCardinal RAT can capture screenshots.[1]
EnterpriseT1071Standard Application Layer ProtocolCardinal RAT is downloaded using HTTP over port 443.[1]
EnterpriseT1082System Information DiscoveryCardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[1]
EnterpriseT1033System Owner/User DiscoveryCardinal RAT can collect the username from a victim machine.[1]
EnterpriseT1204User ExecutionCardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[1]