Software: RARSTONE

From enterprise
Jump to: navigation, search
ID S0055
Type Malware

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.1

Techniques Used

  • Remote File Copy - RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.1
  • Process Injection - After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.2
  • File and Directory Discovery - RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.2


The following groups use this software: