(Novetta) Operating as a server mode RAT, RomeoFoxtrot uses a simple handshake to establish a connection and variant-dependent encryption to transfer data making the malware significantly less sophisticated from a network perspective than other members of the Romeo class. Despite the lack of network sophistication, RomeoFoxtrot provides a large number of commands to handle aspects of file management, process management, network proxying, and victim computer information enumeration. <b />There are two known variants of RomeoFoxtrot: RomeoFoxtrot-One and RomeoFoxtrot-Two. The RomeoFoxtrot family has been observed as the payload of the IndiaCharlie variants, with IndiaCharlie-One observed dropping RomeoFoxtrot-One and IndiaCharlie-Two observed dropping RomeoFoxtrot-Two. Functionally, the two variants are very similar with only two distinctions. The primary distinction is the inclusion of a configuration file for RomoeFoxtrot-Two that specifies the listening port, while RomeoFoxtrot-One uses a hardcoded value. The second is a renumbering of command identifiers. Given the similarities, the remainder of this section will simply refer to them equally as RomeoFoxtrot unless a particular detail is specific to one variant over the other.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: RomeoFoxtrot
Names: RomeoFoxtrot
Description: (Novetta) Operating as a server mode RAT, RomeoFoxtrot uses a simple handshake to establish a connection and variant-dependent encryption to transfer data making the malware significantly less sophisticated from a network perspective than other members of the Romeo class. Despite the lack of network sophistication, RomeoFoxtrot provides a large number of commands to handle aspects of file management, process management, network proxying, and victim computer information enumeration. There are two known variants of RomeoFoxtrot: RomeoFoxtrot-One and RomeoFoxtrot-Two. The RomeoFoxtrot family has been observed as the payload of the IndiaCharlie variants, with IndiaCharlie-One observed dropping RomeoFoxtrot-One and IndiaCharlie-Two observed dropping RomeoFoxtrot-Two. Functionally, the two variants are very similar with only two distinctions. The primary distinction is the inclusion of a configuration file for RomoeFoxtrot-Two that specifies the listening port, while RomeoFoxtrot-One uses a hardcoded value. The second is a renumbering of command identifiers. Given the similarities, the remainder of this section will simply refer to them equally as RomeoFoxtrot unless a particular detail is specific to one variant over the other.
Category: Malware
Type: Backdoor, Info stealer
Information: https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
Last-card-change: 2020-04-20
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |