ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. ^[1]

ID: S0149

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	MoonWind can execute commands via an interactive command shell.^[1] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	MoonWind saves information from its keylogging routine as a .zip file in the present working directory.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	MoonWind encrypts C2 traffic using RC4 with a static key.^[1]
Enterprise	T1083		File and Directory Discovery	MoonWind has a command to return a directory listing for a specified directory.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	MoonWind can delete itself or specified files.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	MoonWind has a keylogger.^[1]
Enterprise	T1095		Non-Application Layer Protocol	MoonWind completes network communication via raw sockets.^[1]
Enterprise	T1571		Non-Standard Port	MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.^[1]
Enterprise	T1120		Peripheral Device Discovery	MoonWind obtains the number of removable drives from the victim.^[1]
Enterprise	T1057		Process Discovery	MoonWind has a command to return a list of running processes.^[1]
Enterprise	T1082		System Information Discovery	MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.^[1]
Enterprise	T1016		System Network Configuration Discovery	MoonWind obtains the victim IP address.^[1]
Enterprise	T1033		System Owner/User Discovery	MoonWind obtains the victim username.^[1]
Enterprise	T1124		System Time Discovery	MoonWind obtains the victim's current time.^[1]

References

Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.