RATANKBA

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RATANKBA is a form of malware, specifically designed to exploit and damage computer systems by stealthily infiltrating via suspicious downloads, emails, or websites. Once inside the system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In one instance we observed, RATANKBA was delivered as an initial payload to the victim, connecting to a legitimate but compromised website (eye-watch[.]in:443), a mobile application-selling site. From this site, a hack tool (nbt_scan.exe) was also downloaded. The malware then proceeded to search for specific IP ranges and analyze different aspects of the infected machine. A significant feature of RATANKBA is its control model that doesn't require real-time communication between the backdoor and the attacker. Instead, it retrieves and executes tasks independently, collecting information for later retrieval. Among its final payloads is a banking Trojan, TSPY_BANKER.NTE, increasing the potential harm to the infected system. The controllers of RATANKBA use the "Nimo Software HTTP Retriever 1.0" user-agent string for its communication, adding another layer of complexity to its operation. RATANKBA has been seen in two versions: Powershell and C/C++. Interestingly, about 55% of the victims of the Powershell version were located in India and neighboring countries. During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool, revealing a main console interface and host manipulation console, further underlining its sophisticated and damaging capabilities.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Trojan
Windows
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RATANKBA Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Lazarus Campaign Uses Remote Tools, RATANKBA, and More
MITRE
a year ago
RATANKBA: Delving into Large-scale Watering Holes