RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)	Malware	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2