Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities withHotCroissant.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | Rifdoor has created a new registry entry at |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | Rifdoor has encrypted command and control (C2) communications with a stream cipher.[1] |
| Enterprise | T1027 | .001 | Obfuscated Files or Information:Binary Padding | Rifdoor has added four additional bytes of data upon launching, then saved the changed version as |
| .013 | Obfuscated Files or Information:Encrypted/Encoded File | Rifdoor has encrypted strings with a single byte XOR algorithm.[1] | ||
| Enterprise | T1566 | .001 | Phishing:Spearphishing Attachment | Rifdoor has been distributed in e-mails with malicious Excel or Word documents.[1] |
| Enterprise | T1082 | System Information Discovery | Rifdoor has the ability to identify the Windows version on the compromised host.[1] | |
| Enterprise | T1016 | System Network Configuration Discovery | Rifdoor has the ability to identify the IP address of the compromised host.[1] | |
| Enterprise | T1033 | System Owner/User Discovery | Rifdoor has the ability to identify the username on the compromised host.[1] | |
| Enterprise | T1204 | .002 | User Execution:Malicious File | Rifdoor has been executed from malicious Excel or Word documents containing macros.[1] |