Action RAT

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[1]

ID: S1028
Platforms: Windows
Version: 1.0
Created: 07 August 2022
Last Modified: 24 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Action RAT can use HTTP to communicate with C2 servers.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Action RAT can use cmd.exe to execute commands on an infected host.[1]

Enterprise T1005 Data from Local System

Action RAT can collect local data from an infected machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Action RAT can use Base64 to decode actor-controlled C2 server communications.[1]

Enterprise T1083 File and Directory Discovery

Action RAT has the ability to collect drive and file information on an infected machine.[1]

Enterprise T1105 Ingress Tool Transfer

Action RAT has the ability to download additional payloads onto an infected machine.[1]

Enterprise T1027 Obfuscated Files or Information

Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Action RAT can identify AV products on an infected host using the following command: cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List.[1]

Enterprise T1082 System Information Discovery

Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.[1]

Enterprise T1016 System Network Configuration Discovery

Action RAT has the ability to collect the MAC address of an infected host.[1]

Enterprise T1033 System Owner/User Discovery

Action RAT has the ability to collect the username from an infected host.[1]

Enterprise T1047 Windows Management Instrumentation

Action RAT can use WMI to gather AV products installed on an infected host.[1]

Groups That Use This Software

ID Name References
G1008 SideCopy