Skip to content

Hide Navigation Hide TOC

DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96)

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern DRATzarus - S0694 (56aa3c82-ed40-4b5a-84bf-7231356d9e96) Malware 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2