{ "id": "1e1b2e29-59ab-458c-a659-8be5e2e596de", "created_at": "2026-04-06T00:09:13.558133Z", "updated_at": "2026-04-10T03:35:32.78237Z", "deleted_at": null, "sha1_hash": "8cb2d04ce765d8ee60df94dc893de1690df2e2be", "title": "A .NET rat targets Mongolia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2472881, "plain_text": "A .NET rat targets Mongolia\r\nBy Sebdraven\r\nPublished: 2021-03-24 · Archived: 2026-04-05 17:52:58 UTC\r\nA new document royal road v7 installs a backdoor in .NET. a first executable is dropped \\os03C2.tmp. This exe\r\nhas many similarities with older campaigns using by Operation LagTime or Tonto Team.\r\nDocument\r\nThe decoy document is a document about infection of covid19 in Russia send to the Mongolia Authorities. The\r\ndocument is fake signed A. Amarsaikhan.\r\nThis technics was used by Operation LagTime and another APT Chinese.\r\nBackdoor Analysis\r\nThe backdoor is installed C:\\MSBuild\\WindowsUpdate\\S-1–2 and the name of file is csrss.exe like the legit\r\nprocess of Windows\r\nThe configuration of the backdoor is stored in a ressource .NET.\r\nPress enter or click to view image in full size\r\nThe content of the XML file is encrypted with the AES algorithm. The key is hardcoded in the class Main_Form\r\nin the private method Main_Form_Load.\r\nbyte[] crypt_key = new byte[]\r\n{\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 1 of 10\n\n230,\r\n23,\r\n63,\r\n211,\r\n96,\r\n49,\r\n120,\r\n48,\r\n182,\r\n11,\r\n49,\r\n173,\r\n233,\r\n114,\r\n123,\r\n61,\r\n230,\r\n23,\r\n63,\r\n211,\r\n96,\r\n49,\r\n120,\r\n48,\r\n182,\r\n11,\r\n49,\r\n173,\r\n233,\r\n114,\r\n123,\r\n61\r\n};\r\nThe xml file is decrypted :\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 2 of 10\n\nA session key is created and used for encrypting all data found by the backdoor and send to C2.\r\nA mutant is created with the information of the configuration:\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 3 of 10\n\nAnd the persistence is the run keys with a check of the privileges:\r\nA connection to the c2 is done in a thread with the method Post_Online_Message. The messages are encrypted\r\nwith the BasicKey hardcoded in the code: 8A5AE1329F9CD824EE915FE14328D267\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 4 of 10\n\nThe first information are sent in the setting of the compromise computer with the method Get_ComputerInfo.\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe disk are listed, the kind of operating system, the processor information, the memory ram. These information\r\nare collecting by using WMI and the IP of the computer.\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 5 of 10\n\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 6 of 10\n\nAfter that, the backoor waits orders in another thread with the method Get_Server_Order.\r\nPress enter or click to view image in full size\r\nAll orders are decrypted with the same BasicKey\r\nAnd the method Order_Catcher launch the different orders:\r\nthe order is Getdir, $GetDisk, GetFileList, Checksum, DeleteFile, DeleteFolder, RenameFolder, RenameFile,\r\nRunHide, Upload, Download, ActiveDos, ExecuteCommand, Disconnect, Trans (to transfert data), Uninstall\r\nEach order has a method with the same name:\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 7 of 10\n\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 8 of 10\n\nThreat Intelligence\r\nMany TTPs are similar to another groups like TA428 (Operation LagTime) or Tonto. So this backdoor can be\r\ndevelopped by APT Chinese Group.\r\nA new technic is to use .NET. There is different example with .Net plugx loader or tool to install the different\r\npayload like RedDelta. Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations\r\n(recordedfuture.com)\r\nIn this case, there is not a side loading then many operations driven by APT chinese.\r\nIOCs:\r\nc2 185.82.218.40\r\nRTF: 1120275dc25bc9a7b3e078138c7240fbf26c91890d829e51d9fa837fe90237ed\r\nDropped executable file\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\os03C2.tmp\r\n2b038ad9bfb8c3f40e95e38b572bdf536d9fd2e7dd5cc0c66fbd0bdc1ed89fde\r\nC:\\MSBuild\\WindowsUpdate\\S-1–2\\cssrs.exe\r\n08be2c7239acb9557454088bba877a245c8ef9b0e9eb389c65a98e1c752c5709\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 9 of 10\n\nc2: 185.82.218.40\r\nYara rule:\r\nrule backdoor_net{\r\nmeta:\r\ndescription= “Backdoor targets Mongolia”\r\nauthor= “@sebdraven”\r\ndate = “2020–03–23”\r\ntlp = “white”\r\nstrings:\r\n$s1=”RunHide”\r\n$s2=”Token”\r\n$s3=”BasicKey”\r\n$s4=”SessionKey”\r\n$s5=”AdminKeyMD5\"\r\n$s6=”Aes256\"\r\n$s7=”Order_Catcher”\r\n$s8=”Get_ComputerInfo”\r\n$s9=”TransData”\r\ncondition:\r\nall of them\r\n}\r\nSource: https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nhttps://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2" ], "report_names": [ "a-net-rat-target-mongolia-9c1439c39bc2" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434153, "ts_updated_at": 1775792132, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cb2d04ce765d8ee60df94dc893de1690df2e2be.pdf", "text": "https://archive.orkl.eu/8cb2d04ce765d8ee60df94dc893de1690df2e2be.txt", "img": "https://archive.orkl.eu/8cb2d04ce765d8ee60df94dc893de1690df2e2be.jpg" } }