RainyDay

RainyDay is a backdoor tool that has been used by Naikon since at least 2020.[1]

ID: S0629
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 29 June 2021
Last Modified: 19 August 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RainyDay can use HTTP in C2 communications.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RainyDay can use the Windows Command Shell for execution.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

RainyDay can use services to establish persistence.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

RainyDay can use tools to collect credentials from web browsers.[1]

.004 Credentials from Password Stores: Windows Credential Manager

RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.[1]

Enterprise T1005 Data from Local System

RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

RainyDay can decrypt its payload via a XOR key.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

RainyDay can use RC4 to encrypt C2 communications.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[1]

Enterprise T1008 Fallback Channels

RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.[1]

Enterprise T1083 File and Directory Discovery

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

RainyDay can use side-loading to run malicious executables.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

RainyDay has the ability to uninstall itself by deleting its service and files.[1]

Enterprise T1105 Ingress Tool Transfer

RainyDay can download files to a compromised host.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."[1]

.005 Masquerading: Match Legitimate Name or Location

RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[1]

Enterprise T1106 Native API

The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.[1]

Enterprise T1095 Non-Application Layer Protocol

RainyDay can use TCP in C2 communications.[1]

Enterprise T1027 Obfuscated Files or Information

RainyDay has downloaded as a XOR-encrypted payload.[1]

Enterprise T1057 Process Discovery

RainyDay can enumerate processes on a target system.[1]

Enterprise T1090 Proxy

RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

RainyDay can use scheduled tasks to achieve persistence.[1]

Enterprise T1113 Screen Capture

RainyDay has the ability to capture screenshots.[1]

Enterprise T1007 System Service Discovery

RainyDay can create and register a service for execution.[1]

Groups That Use This Software

ID Name References
G0019 Naikon

[1]

References