Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[1][2][3][4][5]

ID: S1040
Type: TOOL
Platforms: Linux, Windows, macOS
Contributors: Edward Millington; Ian McKay
Version: 1.1
Created: 30 August 2022
Last Modified: 04 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Rclone can compress files using gzip prior to exfiltration.[1]

Enterprise T1030 Data Transfer Size Limits

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[1][5]

Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.[1]

.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.[1][5]

Enterprise T1083 File and Directory Discovery

Rclone can list files and directories with the ls, lsd, and lsl commands.[1]

Groups That Use This Software

ID Name References
G1024 Akira

[6]

G1021 Cinnamon Tempest

[7]

Campaigns

ID Name Description
C0015 C0015

[5]

References