RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. (Citation: ZimperiumGupta_RatMilad_Oct2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
Data Destruction - T1662 (9ef14445-6f35-4ed0-a042-5024f13a9242)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
RatMilad - S1241 (6ceb0644-0ae9-4ee1-a659-3888687cb03b)	Malware	Clipboard Data - T1414 (c4b96c0b-cb58-497a-a1c2-bb447d79d692)	Attack Pattern	1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2