Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1059 | Command-Line Interface |
Cardinal RAT can execute commands.[1] |
| Enterprise | T1043 | Commonly Used Port |
Cardinal RAT is downloaded using HTTP over port 443.[1] |
| Enterprise | T1500 | Compile After Delivery |
Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[1] |
| Enterprise | T1090 | Connection Proxy |
Cardinal RAT can act as a reverse proxy.[1] |
| Enterprise | T1024 | Custom Cryptographic Protocol |
Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[1] |
| Enterprise | T1002 | Data Compressed |
Cardinal RAT applies compression to C2 traffic using the ZLIB library.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[1] |
| Enterprise | T1008 | Fallback Channels |
Cardinal RAT can communicate over multiple C2 host and port combinations.[1] |
| Enterprise | T1083 | File and Directory Discovery |
Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[1] |
| Enterprise | T1107 | File Deletion |
Cardinal RAT can uninstall itself, including deleting its executable.[1] |
| Enterprise | T1056 | Input Capture |
Cardinal RAT can log keystrokes.[1] |
| Enterprise | T1112 | Modify Registry |
Cardinal RAT sets |
| Enterprise | T1027 | Obfuscated Files or Information |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded. [1] |
| Enterprise | T1057 | Process Discovery |
Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[1] |
| Enterprise | T1055 | Process Injection |
Cardinal RAT injects into a newly spawned process created from a native Windows executable.[1] |
| Enterprise | T1012 | Query Registry |
Cardinal RAT contains watchdog functionality that periodically ensures |
| Enterprise | T1060 | Registry Run Keys / Startup Folder |
Cardinal RAT establishes Persistence by setting the |
| Enterprise | T1105 | Remote File Copy |
Cardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads.[1] |
| Enterprise | T1113 | Screen Capture |
Cardinal RAT can capture screenshots.[1] |
| Enterprise | T1071 | Standard Application Layer Protocol |
Cardinal RAT is downloaded using HTTP over port 443.[1] |
| Enterprise | T1082 | System Information Discovery |
Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[1] |
| Enterprise | T1033 | System Owner/User Discovery |
Cardinal RAT can collect the username from a victim machine.[1] |
| Enterprise | T1204 | User Execution |
Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[1] |