Detection Content: RDAT Backdoor

[post-views]
July 27, 2020 · 2 min read
Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more on that below.

APT34 is active since at least 2014, the group conducts reconnaissance aligned with the strategic interests of the Iranian government operating primarily in the Middle East and targeting financial, government, energy, chemical, telecommunications, and other industries. In 2020, the group conducted several campaigns, hunting for government organizations in the United States and modifying for this purpose tools used in previous campaigns.

RDAT Backdoor is also not a completely new tool, APT34 already used early versions of it in 2017 and 2018. The new version of the malware has a novel email-based C2 channel used in combination with steganography to exfiltrate data. Adversaries can use it to issue the command, read the output, and send the results to the C&C server; it is also capable of downloading and uploading files via selected C&C protocol.

Detection content to spot this threat:

Oilirg’s “RDAT “Backdoor (Sysmon detection) by Ariel Millahuelhttps://tdm.socprime.com/tdm/info/k6BRV4W38EJc/xcmAgHMBQAH5UgbBf-WN/?p=1

A variant of OILRIG(RDAT Backdoor) by Emir Erdoganhttps://tdm.socprime.com/tdm/info/at9qZwhXJDef/VfGCgHMBPeJ4_8xcKk9B/?p=1

 

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Execution, Lateral Movement, Command and Control.

Techniques: Remote File Copy (T1105), PowerShell (T1086)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
JSOutProx RAT
Blog, Latest Threats — 2 min read
JSOutProx RAT
Eugene Tkachenko