MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[1]

ID: S0652
Platforms: Windows
Contributors: Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 28 September 2021
Last Modified: 25 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.[1]

Enterprise T1197 BITS Jobs

MarkiRAT can use BITS Utility to connect with the C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.[1]

Enterprise T1115 Clipboard Data

MarkiRAT can capture clipboard content.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.[1]

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

MarkiRAT can gather information from the Keepass password manager.[1]

Enterprise T1005 Data from Local System

MarkiRAT can upload data from the victim's machine to the C2 server.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

MarkiRAT can store collected data locally in a created .nfo file.[1]

Enterprise T1041 Exfiltration Over C2 Channel

MarkiRAT can exfiltrate locally stored data via its C2.[1]

Enterprise T1083 File and Directory Discovery

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.[1]

Enterprise T1105 Ingress Tool Transfer

MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[1]

Enterprise T1056 .001 Input Capture: Keylogging

MarkiRAT can capture all keystrokes on a compromised host.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.[1]

Enterprise T1106 Native API

MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.[1]

Enterprise T1057 Process Discovery

MarkiRAT can search for different processes on a system.[1]

Enterprise T1113 Screen Capture

MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.[1]

Enterprise T1518 Software Discovery

MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.[1]

.001 Security Software Discovery

MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.[1]

Enterprise T1082 System Information Discovery

MarkiRAT can obtain the computer name from a compromised host.[1]

Enterprise T1614 .001 System Location Discovery: System Language Discovery

MarkiRAT can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian.[1]

Enterprise T1033 System Owner/User Discovery

MarkiRAT can retrieve the victim’s username.[1]

Groups That Use This Software

ID Name References
G0137 Ferocious Kitten