Openhunting Threat Library

Sisfader

Sisfader, Sisfader RAT
(Type: Backdoor, Info stealer)

(NCC Group) The payload installed by the WLL file is not a common RAT. We believe it to be either new or custom. Context Information Security, one of the other industry partners on the UK Cyber Incident Response scheme, has named this RAT Sisfader. We have adopted this name for consistency. It maintains persistence installing itself as a system service and has multiple components.

[News Analysis] Trends:

Total Trend: 3

Trend Per Year
2
2018
1
2020


Trend Per Month
1
Jun 2018
1
Aug 2018
1
Jan 2020



[News Analysis] News Mention Another Threat Name:

10 - BLACKCOFFEE10 - Cotx RAT10 - Datper10 - DDKONG10 - Derusbi10 - Icefog10 - Korlia10 - NewCore RAT10 - PLAINTEE10 - Poison Ivy10 - Sisfader


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
0/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

An Overhead View of the Royal Road

2020-01-29 by nao_sec from nao_sec blog

Goblin Panda against the Bears

2018-08-02 by Sébastien Larinier from

CVE-2017-8570 RTF and the Sisfader RAT

2018-06-12 by Ben Humphrey from NCC Group

Basic Information (Credit @etda.or.th)

Tool: Sisfader

Names: Sisfader, Sisfader RAT

Description: (NCC Group) The payload installed by the WLL file is not a common RAT. We believe it to be either new or custom. Context Information Security, one of the other industry partners on the UK Cyber Incident Response scheme, has named this RAT Sisfader. We have adopted this name for consistency. It maintains persistence installing itself as a system service and has multiple components.

Category: Malware

Type: Backdoor, Info stealer

Information: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8570-rtf-and-the-sisfader-rat/

Information: https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:Sisfader

Last-card-change: 2020-05-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.