{
	"id": "4b65d954-0336-45ac-914b-36fad039cc6c",
	"created_at": "2026-04-06T00:14:35.298632Z",
	"updated_at": "2026-04-10T13:12:21.760074Z",
	"deleted_at": null,
	"sha1_hash": "c0f91b7cf4cb785682c6c00d0b3615a4df012c7b",
	"title": "RATANKBA: Delving into Large-scale Watering Holes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 506429,
	"plain_text": "RATANKBA: Delving into Large-scale Watering Holes\r\nBy Trend Micro ( words)\r\nPublished: 2017-02-27 · Archived: 2026-04-05 21:44:02 UTC\r\nIn early February, several financial organizations reported malware infection on their workstations, apparently\r\ncoming from legitimate websites. The attacks turned out to be part of a large-scale campaign to compromise\r\ntrusted websites in order to infect the systems of targeted enterprises across various industries. The strategy is\r\ntypically known as a “watering hole” attack.\r\nIt was all sparked by a spate of recent malware attacks on Polish banksnews article entailing a reportedly\r\nunknown malware in their own terminals and servers, along with the presence of dubious, encrypted\r\nprograms/executables, and more prominently, suspicious network activity. More malware are delivered to the\r\naffected systems which were seen connecting to unusual and far-flung locations worldwide, possibly where\r\ncompany data are exfiltrated to.\r\nThe malware in question: RATANKBA. Not only was it tied to malware attacks against banks in Poland, but also\r\nin a string of similar incidents involving financial institutions in Mexico, Uruguay, the United Kingdom, and\r\nChile. How did it infect their victims? Were there other malware involved? Does the campaign really have ties\r\nwith a Russian cybercriminal group?\r\nBased on the odd wording choices (in Russian) we saw used as commands within the malware, we construe that it\r\nis just a decoy—a tactic to obfuscate the attackers’ trails. Banks weren’t the only targets; among them are also\r\nenterprises in telecommunications, management consulting, information technology, insurance, aviation, and\r\neducation. Also, the campaign wasn’t just confined to North America and Europe, as we also observed a number\r\nof affected organizations in the APAC region, notably Taiwan, Hong Kong, and China.\r\nHere we provide further analysis and insights that can complement other ongoing research into this threat.\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 1 of 7\n\nFigure 1. One of the possible infection flows involving RATANKBA\r\nInfection Flow\r\nThe campaign, like what we saw in affected Polish banks, has many attack chains. The tools and techniques\r\nemployed are typical in targeted attacks due to elements of lateral movement and reconnaissance. Malefactors\r\nused watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets. These\r\nwebsites were injected with malicious JavaScript code that fingerprints browser components and loads\r\nvulnerability exploits from their malware and exploit kit-hosting systems, some of which were also likely\r\ncompromised.\r\nThe infection is multistage and involves a variety of malware, with the final payload delivered only to their targets\r\nof interest. Different command and control (C\u0026C) servers were used. Some were also compromised machines that\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 2 of 7\n\nproxied connections to the attackers’ infrastructure.\r\nIn one instance we observed, one of the initial malware delivered to the victim, RATANKBA\r\n(TROJ_RATANKBA.A), connects to a legitimate but compromised website (eye-watch[.]in:443, a mobile\r\napplication-selling site) from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one\r\nof the campaign’s platform for C\u0026C communication.\r\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine\r\nwhere it has been initially downloaded—the machine that has been victim of the watering hole attack. Information\r\nsuch as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so\r\nforth.\r\nFigure 2. RATANKBA looking at different aspects of the machine\r\nIt would be worthwhile to note that RATANKBA has also been seen looking at specific IP ranges of interest:\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 3 of 7\n\nFigure 3. RATANKBA looking for specific IP ranges\r\nOur analysis of samples of the hack tool (HKTL_NBTSCAN.GA and HKTL_NBTSCAN.GB) indicate it as a\r\ncommand-line program that scans IP networks for NetBIOS information such as IP address, NetBIOS computer\r\nname, logged-in username, and MAC address—with some of the information coming from the initial\r\nRATAKNBA installation.  The threat actor can now combine the information and brute force their way throughout\r\nthe network (through NetBIOS) using a list of usernames and passwords as well as a range of IP addresses.\r\nFigure 4. Commandline instructions of the hack tool\r\nUpon successful connection, this hack tool will try to copy the calc.exe of the attacker’s machine to the targeted\r\ncomputer’s network share (C$) to test if file propagation via network share is successful and would most likely\r\nsucceed if the credentials used would have administrative privileges. It then takes note of the infected machine’s\r\nIP address, user, domain, hostname, OS and Service Pack, and the username and password combination that\r\nworked during the brute force routine. A log of it is then dumped to the directory where the file was initially\r\nexecuted.\r\nWith the combination of the information from RATANKBA and success/failure results from HKTL_NBTSCAN,\r\nthe threat actor is now free to deploy final payloads to interesting hosts. A banking Trojan\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 4 of 7\n\n(TSPY_BANKER.NTE) is among RATANKBA’s final payloads. Some of the compromised sites used by attacker\r\nhost several malware and suspicious/malicious files include:\r\nAn information-stealing backdoor (detected by Trend Micro as BKDR_DESTOVER.ADU),\r\nA similarly named Flash file (swf, detected as SWF_EXPLOYT.YYRQ)\r\nA Silverlight (.xap) file containing several files: an App Manifest (AppManifest.xaml), and DLLs\r\nShell_siver.dll (TROJ_CVE20130074.B), and System.Xml.Linq.dll, which when repacked form a runtime\r\nremote code execution exploit for Silverlight (CVE-2016-0034, patched last January 12, 2016)\r\nA Trojan (TROJ64_KLIPODLDR.ZHEB-A) that drops an encrypted module\r\n(BKDR64_KLIPODENC.ZHEB-A) containing a banking spyware (TSPY64_BANKER.YWNQD), used as\r\na Windows service persistence mechanism DLL.\r\nImpact\r\nThere were actually more victims than what was initially gauged. Feedback from our Smart Protection Network™\r\nrevealed that apart from attacks in North America (mainly the U.S.), Europe, and South America, the campaign\r\nalso noticeably affected enterprises in Taiwan, Hong Kong, China, and Bahrain.\r\nAffected organizations also included those in Luxembourg, France, the Philippines, Japan, Spain, Malaysia,\r\nNorway, and Romania. The targeted industries were consistent with other analyses: telecommunications\r\n(including internet service providers) and banking. We also saw a miscellany of targets whose industries comprise\r\ninternet-related services (such as data center operations), management consulting, information technology,\r\npharmaceutics, insurance, even aviation and education.\r\nIn the case of Taiwan, we’ve seen the compromised website diverting its visitors to another malware-hosting site\r\nthat also acts as platform for C\u0026C communication: sap[.]misapor[.]ch. We saw the affected websites of financial\r\ninstitutions in Uruguay and Mexico redirecting victims to the same URL. While the URL acts similarly to how\r\neye-watch[.]in:443 delivers payloads, we also saw the URL leveraging and exploiting security flaws in Flash:\r\nCVE-2015-8651, CVE-2016-1019, and CVE-2016-4117. These vulnerabilities were patched last December 28\r\n2015, April 5, 2016, and May 12, 2016, respectively.\r\nFigure 5. Screenshot of the malware’s code showing commands in Russian\r\nA False Flag?\r\nThe campaign notably bears similarities with activities that seem to point the finger to Russian perpetrators. Is\r\nthere really a Russian connection? Delving into the malware, we found that it indeed uses commands in Russian—\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 5 of 7\n\ntransliterated from Cyrillic script to Latin alphabet, in particular. The verbs used were in their infinitive form,\r\nhowever, which is awkward for a command switch. Case in point: the use of “ustanavlivat” (“to install”) instead\r\nof the more command-like “ustanovit” (“do install”), which gives the impression that the malware operator lifted\r\nit from a dictionary or source where words are typically listed in default form.\r\nAdditionally, using verbs as commands is peculiar, especially for Russian cybercriminals or malware\r\nprogrammers who ironically eschew using Russian language in favor of broken English. Majority—if not all—of\r\nRussian programmers know that “connect” is keyed in as “connect”, because there’s already an API call\r\n(Application Program Interface) under that name. If you really have to use Russian, you’d rather use words like\r\n“vykhod” (“quit”) than “vikhodit” (“to exit”).\r\nAnother example is the use of “klyent2podklychit” we found within the sample we analyzed. The only intelligible\r\npart of it was “2”, which can be taken as “to” given how there’s an API call name for it (client2connect). In\r\nRussian, it’s practically gibberish, with the words wrongly ordered; it makes much more sense if\r\n“podkluchit_klienta” was used instead.\r\nIndeed, with the awkward use of Russian language within the malware, we’re inclined to surmise it as more of a\r\nfalse flag, intentionally inserted in the code to flummox threat research and attribution attempts. It’s an uncommon\r\ntactic, but one that’s already been observed in other malware and cyberattacks.\r\nWere the attacks carried out by cybercriminal group Lazarus? While there is ambivalence if they were indeed their\r\nhandiwork, our analysis indicates that the malware codes and techniques employed resembled those used by\r\nLazarus.\r\nMitigation\r\nSecurity and system/IT administrators must practice due diligence in protecting their websites and web-based\r\napplications from threats that can undermine their security, and hijack them to do the bad guys’ bidding—\r\ndelivering malware to their victims. Malicious web injectionsnews- cybercrime-and-digital-threats, for instance,\r\nleverage exploits that enable attackers to gain footholds into the system. An organization’s best defense is to\r\nregularly apply the latest patches, as well as routinely scan and examine traffic that goes through the enterprise’s\r\nnetwork, which enables prompt incident response and remediation.\r\nA multilayered approach is a must to securing the organization’s perimeter, especially for information security\r\nprofessionals and system/IT administrators. Hardening the endpoints is critical, as bad guys can use these to enter\r\nthe company network. Implementing the apt restrictions/permissions policies on end user systems and employing\r\napplication controlproducts can help prevent unwanted and suspicious applications and processes from being\r\nexecuted. Disabling unnecessary—or unused—components in the system such as third-party plugins and\r\nextensions helps reduce the system’s attack surface.\r\nEmploying firewalls and intrusion detection systems on top of proactive network monitoring can help mitigate\r\nincursions into the organization. This can be complemented by restricting direct internet access to the company’s\r\ninternal networks while using proxies to access external resources. End users can help by practicing and fostering\r\nsecurity habits, such as prudence against dubious and socially engineered links, emails, and websites.\r\nTrend Micro Solutions\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 6 of 7\n\nTrend Micro™ Deep Security™products and Vulnerability Protectionproducts provide virtual\r\npatchingproducts that protects endpoints from threats such as malicious redirections to malware-hosting URLs, as\r\nwell as those that exploit unpatched vulnerabilities. OfficeScanproducts’s Vulnerability Protection shields\r\nendpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend\r\nMicro™ Deep Discovery™products provides detection, in-depth analysis, and proactive response to attacks using\r\nexploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across\r\nthe entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update. Deep\r\nDiscovery Inspector protects customers from these threats via this DDI Rule:\r\nDDI Rule 18 : DNS response of a queried malware Command and Control domain\r\nDDI Rule 15 : Many unsuccessful logon attempts (nbt_scan.exe)\r\nDDI Rule 38 : Multiple unsuccessful logon attempts (nbt_scan.exe)\r\nTippingPoint customers are protected from these threats via these ThreatDV filters:\r\n27218: HTTP: TROJ_RATANKBA_A Checkin\r\n28219: HTTP: TROJ_RATANKBA_A Checkin 02\r\n27220: HTTPS: TROJ_RATANKBA_A Checkin\r\n27221: HTTP: Sundown EK Flash Exploit (SWF_EXPLOYT.YYRQ)\r\nA list of related Indicators of Compromise (IoCs) can be found in this appendix.\r\nUpdated on February 27, 2017, 5:55 PM (UTC-7):\r\nWe updated the wording that cited affected organizations in several countries.\r\nUpdated on February 27, 2017, 11:08 PM (UTC-7):\r\nWe updated the section of the article that mentioned cybercriminal group Lazarus.\r\nUpdated on March 1, 2017, 09:15 PM (UTC-7):\r\nAn updated version of the appendix containing Indicators of Compromise (IoCs) and other technical details has\r\nbeen uploaded.\r\nSource: https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nhttps://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html"
	],
	"report_names": [
		"ratankba-watering-holes-against-enterprises.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0f91b7cf4cb785682c6c00d0b3615a4df012c7b.pdf",
		"text": "https://archive.orkl.eu/c0f91b7cf4cb785682c6c00d0b3615a4df012c7b.txt",
		"img": "https://archive.orkl.eu/c0f91b7cf4cb785682c6c00d0b3615a4df012c7b.jpg"
	}
}