RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Clipboard Data - T1414 (c4b96c0b-cb58-497a-a1c2-bb447d79d692)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2