RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Clipboard Data - T1414 (c4b96c0b-cb58-497a-a1c2-bb447d79d692)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	2