Skip to content

Hide Navigation Hide TOC

RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c)

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

Cluster A Galaxy A Cluster B Galaxy B Level
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware 1
RATANKBA - S0241 (9b325b06-35a1-457d-be46-a4ecc0b7ff0c) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2