Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]

ID: S0348
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Cardinal RAT can execute commands.[1]

Enterprise T1043 Commonly Used Port

Cardinal RAT is downloaded using HTTP over port 443.[1]

Enterprise T1500 Compile After Delivery

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[1]

Enterprise T1090 Connection Proxy

Cardinal RAT can act as a reverse proxy.[1]

Enterprise T1024 Custom Cryptographic Protocol

Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[1]

Enterprise T1002 Data Compressed

Cardinal RAT applies compression to C2 traffic using the ZLIB library.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[1]

Enterprise T1008 Fallback Channels

Cardinal RAT can communicate over multiple C2 host and port combinations.[1]

Enterprise T1083 File and Directory Discovery

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).[1]

Enterprise T1107 File Deletion

Cardinal RAT can uninstall itself, including deleting its executable.[1]

Enterprise T1056 Input Capture

Cardinal RAT can log keystrokes.[1]

Enterprise T1112 Modify Registry

Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.[1]

Enterprise T1027 Obfuscated Files or Information

Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded. [1]

Enterprise T1057 Process Discovery

Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.[1]

Enterprise T1055 Process Injection

Cardinal RAT injects into a newly spawned process created from a native Windows executable.[1]

Enterprise T1012 Query Registry

Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Cardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Registry key to point to its executable.[1]

Enterprise T1105 Remote File Copy

Cardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads.[1]

Enterprise T1113 Screen Capture

Cardinal RAT can capture screenshots.[1]

Enterprise T1071 Standard Application Layer Protocol

Cardinal RAT is downloaded using HTTP over port 443.[1]

Enterprise T1082 System Information Discovery

Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[1]

Enterprise T1033 System Owner/User Discovery

Cardinal RAT can collect the username from a victim machine.[1]

Enterprise T1204 User Execution

Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[1]

References