RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2