Skip to main content

ComRAT Trojan

ComRAT is a trojan created by the Turla advanced persistent threat group for use in attacks against American and European government organisations. Believed to have been created in 2007 or earlier, it appeared to have fallen out of use by Turla until 2017 when a number of significant functionalities changes were made.

Threat ID:
CC-3474
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Published:
28 May 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

ComRAT is a trojan created by the Turla advanced persistent threat group for use in attacks against American and European government organisations. Believed to have been created in 2007 or earlier, it appeared to have fallen out of use by Turla until 2017 when a number of significant functionalities changes were made.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

At the time of publication, ComRAT is delivered by a number of Turla-developed tools such as LightNeuron and PowerStallion, or common open-source tools like PowerShell Empire. As with most Turla campaigns, they perform extensive network reconnaissance and target profiling before delivering any tools.

Once installed, ComRAT will attempt to extract sensitive documents from local and network drives. It will also collect information on Active Directory groups and Windows configurations. Data is exfiltrated to a cloud storage solution, typically 4shared or OneDrive. Interestingly, ComRAT will also exfiltrate security-related files such as SIEM logs, seemingly so that Turla may review them and determine how ComRAT is being detected.

For further information:

Remediation steps

Type Step

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

  • arinas[.]tk
  • bedrost[.]com
  • branter[.]tk
  • bronerg[.]tk
  • celestyna[.]tk
  • crusider[.]tk
  • davilta[.]tk
  • deme[.]ml
  • dixito[.]ml
  • duke6[.]tk
  • elizabi[.]tk
  • foods.jkub[.]com
  • hofa[.]tk
  • hunvin[.]tk
  • lakify[.]ml
  • lindaztert[.]net
  • misters[.]ml
  • pewyth[.]ga
  • progress.zyns[.]com
  • sameera[.]gq
  • sanitar[.]ml
  • scrabble.ikwb[.]com
  • sumefu[.]gq
  • umefu[.]gq
  • vefogy[.]cf
  • vylys[.]com
  • wekanda[.]tk

Filepaths

  • %TEMP%\FXSAPIDebugTrace.txt
  • %TEMP%\iecache.bin

SHA1 File Hashes

  • 0139818441431C72A1935E7F740A1CC458A63452
  • 0AB87F7BDF7D9E54BA33FE715C11E275D5DCCE15
  • 4D8B1F4ACC638080054FFBB4CEF2559583A22DC6
  • DD7006D16D8E121FCE8F2905433474ECCED75CC0

Last edited: 29 June 2021 12:01 pm