Skip to content

Hide Navigation Hide TOC

DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96)

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2