RDAT

RDAT is a malicious software (malware) that has been under active development since 2017. It was first observed in the operations of OilRig, an advanced persistent threat group known for its attacks on Middle Eastern organizations. The malware was initially spotted when it was uploaded to a webshell related to the TwoFace webshell, as discussed in the Striking Oil blog post published on September 26, 2017. Over time, multiple variations of RDAT have emerged, each relying on either HTTP or DNS tunneling for Command and Control (C2) communications. This continuous development of the malware indicates a sophisticated and persistent threat. The most recent known activity involving RDAT occurred in April 2020 against a telecommunications organization in the Middle East. The attack employed tactics and tools associated with previous attacks, including custom Mimikatz tools, Bitvise, PowerShell downloaders, and a custom backdoor tracked as RDAT. A novel variant of RDAT was discovered during this attack, which used an email-based C2 channel that relied on steganography to hide commands and data within bitmap images attached to emails. This innovative C2 channel supplemented the HTTP and DNS tunneling C2 channels seen in other RDAT samples. The RDAT backdoor has been used extensively by the OilRig threat group to target organizations in the Middle East over the past three years. All RDAT samples have received malicious verdicts in WildFire and have protections in place through Cortex XDR. The command handler in the latest RDAT sample offers more capabilities compared to earlier versions. The RDAT payload can support both 24- and 32-bit images and uses character replacement techniques to circumvent domain name restrictions. The continued use and evolution of RDAT underscore the need for vigilant cybersecurity measures.