Movatterモバイル変換

Home
Software
RARSTONE

RARSTONE

RARSTONE is malware used by theNaikon group that has some characteristics similar toPlugX.^[1]

ID: S0055

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 25 April 2025

Version Permalink

Enterprise Layer

Techniques Used

Domain	ID		Name	Use
Enterprise	T1083		File and Directory Discovery	RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.^[2]
Enterprise	T1105		Ingress Tool Transfer	RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.^[1]
Enterprise	T1095		Non-Application Layer Protocol	RARSTONE uses SSL to encrypt its communication with its C2 server.^[1]
Enterprise	T1055	.001	Process Injection:Dynamic-link Library Injection	After decrypting itself in memory,RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.^[2]

Groups That Use This Software

ID	Name	References
G0019	Naikon	^[3]^[4]

References

Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.

×

[8]ページ先頭

©2009-2026 Movatter.jp