SombRAT
SOMBRAT is a modular backdoor/RAT written in C++ (described as modern C++ and also as a modular backdoor written in C++ used since at least 2019). Its primary purpose is to download and execute plugins delivered by its command-and-control (C2) server. Documented plugin components include core, network, storage, taskman, and debug/debuglog. It has been associated with the CostaRicto campaign and with UNC2447 activity; Mandiant reported UNC2447 exploiting SonicWall SMA 100 Series CVE-2021-20016 prior to patching and deploying SOMBRAT, and also observed SOMBRAT alongside FIVEHANDS ransomware intrusions. BlackBerry Cylance previously reported SOMBRAT in the CostaRicto campaign.
Observed capabilities include host discovery and reconnaissance such as executing getinfo to identify the username and current time on a compromised host, and enumerating services on the victim machine. SOMBRAT can collect and exfiltrate data and files from compromised hosts to its C2 server, and can stage harvested data in a custom database under the %TEMP% directory. It supports encrypted and flexible C2 communications, including SSL/TLS-encrypted traffic, TCP sockets for data transfer, ICMP for pinging the C2 server, an embedded SOCKS proxy for C2 communications, and a custom DGA to generate C2 subdomains. Mandiant additionally described a 64-bit Windows SOMBRAT variant communicating with a configurable C2 via DNS, TLS-encrypted TCP, and potentially WebSockets.
Mandiant observed a hardened SOMBRAT variant with additional obfuscation and armoring intended to evade detection and hinder analysis. In that variant, compiler metadata was stripped and strings were inlined and XOR-encoded. The malware was deployed with multiple launcher resources typically installed under C:\ProgramData\Microsoft, with observed paths including C:\programdata\Microsoft\WwanSvc.bat, WwanSvc.txt, WwanSvc.c, WwanSvc.a, and WwanSvc.b. SOMBRAT also used encrypted storage/configuration files in %TEMP% and C:\ProgramData, sometimes with random names; other observed filename variations included ntuser and wapsvc.
Additional reporting cited in the content states SOMBRAT is primarily used after initial compromise to collect/exfiltrate information and deliver additional payloads. MS-ISAC reported SombRAT in its Top 10 malware reporting and noted malspam as an observed infection vector at the time of publication.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“CVE-2021-20016 is a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile Access SMA 100 series remote access products… Successful exploitation would grant an attacker the ability to access login credentials (username, password) as well as session information… This vulnerability only impacted the SMA 100 series and was patched by SonicWall in February 2021.”
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
3 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Discovery
6 techniques
Discovery
"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Collection
3 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
8 techniques
Command and Control
"Aria-body has the ability to use a reverse SOCKS proxy module." / "BADHATCH can use SOCKS4 and SOCKS5 proxies..." / "Neo-reGeorg... establish a SOCKS5 proxy" / "Remcos uses the infected hosts as SOCKS5 proxies"
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
Aria-body has the ability to use a reverse SOCKS proxy module... BADHATCH can use SOCKS4 and SOCKS5 proxies... GoBear implements SOCKS5 proxy functionality... Neo-reGeorg has the ability to establish a SOCKS5 proxy... Remcos uses the infected hosts as SOCKS5 proxies...
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
APT41 has used DGAs to change their C2 servers monthly. Aria-body has the ability to use a DGA for C2 communications. Astaroth has used a DGA in C2 communications. Bazar can implement DGA using the current date as a seed variable.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Enterprise New Software: ... SombRAT
64-bit Windows backdoor with a plugin-based architecture; communicates with configurable C2 over DNS and TLS-encrypted TCP (and potentially WebSockets). Primary purpose is to download/execute additional plugins delivered via C2, with added obfuscation/anti-analysis and forensic evasion (e.g., patching process command-line arguments).
Remote access malware that uses a custom domain generation algorithm to generate subdomains for command-and-control.
Remote access trojan that can encrypt command-and-control traffic with SSL.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.