Unit 42 researchers published a technical analysis on Unit 42 (Palo Alto Networks) of RDAT — an OilRig backdoor active since 2017 — after discovering a novel email-based C2 channel added in June 2018 that uses steganography to hide commands and exfiltrated data within BMP images attached to emails. The tool was observed in April 2020 attacks against a Middle Eastern telecommunications organization, alongside custom Mimikatz credential dumpers, Bitvise SSH tunneling, and PowerShell downloaders — paralleling contemporaneous Greenbug/OilRig targeting of Southeast Asian telecoms documented by Symantec.
RDAT Evolution: PDB Path Attribution, DNS-Only Tunnel, and AES Subdomain Encoding
RDAT attribution to OilRig rests on its first appearance in a TwoFace webshell in October 2017 and PDB paths shared across the tool cluster: C:\Users\Void\Desktop\RDAT\client\x64\Release\client.pdb (naming the tool) and C:\Users\Void\Desktop\dns\client\x64\Release\client.pdb. The same C:\Users\Void\Desktop prefix appears in over a dozen related samples, most identified as ISMDOOR. The March 2020 RDAT variant uses DNS-only TXT query tunneling (no HTTP fallback), with subdomains structured as <encoded_data>.<encoding_method><key>.<C2_domain>. Encoding is base64 (method 0) or base32 (method 1, CLI argument), with base64 characters substituted for DNS compliance (=→-, /→_, +→-a). The payload is AES-encrypted using a 16-byte key derived by repeating two random alphanumeric characters embedded in the subdomain eight times (e.g., characters R2 yield key R2R2R2R2R2R2R2R2). Decrypted beacons carry <comms_type>,<config_ID>,<version>,<random_number>; C2 responses use the same AES scheme, parsed via regex [^,]+ for command and arguments.
Steganographic Email C2 via Exchange Web Services: BMP Image Command Hiding
The most novel capability, introduced June 2018, replaces or supplements DNS tunneling with Exchange Web Services (EWS) email communication. Commands from the operator and exfiltrated data from the victim are hidden within BMP bitmap image file attachments using steganography — embedding data in image pixel values to make the C2 channel indistinguishable from legitimate email with image attachments. This approach combines two evasion techniques: using a legitimate enterprise communication protocol (EWS/Exchange) that is rarely inspected for malicious content, and encoding payloads within image files that bypass content-based detection focused on executable or script attachments. The combination significantly increases the difficulty of network-level detection compared to DNS tunneling or direct HTTP C2.
Attack Context: Custom Mimikatz, Bitvise, and PowerShell Downloader Infrastructure
The April 2020 Middle Eastern telecom intrusion used custom Mimikatz variants for credential dumping, a Bitvise SSH client for tunnel establishment, and PowerShell downloaders fetching RDAT from digi.shanx[.]icu:8080/Nt.dat — saving to C:\ProgramData\Nt.dat before relocation to C:\ProgramData\Vmware\VMware.exe. The same C:\ProgramData\Nt.dat staging path appeared in Symantec's Greenbug report (using apps.vvvnews[.]com:8080 as C2), confirming shared operational procedures. The hardcoded fallback C2 domain in the analyzed sample was rsshay[.]com.