By Gitte Gade, Product Marketing Manager, LogPoint
The Remote Access Trojan (RAT) can be considered a legacy tool for hackers. The RAT is a malware program that uses a back door for administrative control over the targeted computer. RATs are used for low and slow, prolonged, stealthy operations such as APTs (Advanced Persistent Threats). Using this malicious technique, the attackers take their time to explore the victim’s networks and assets, then move around as quietly as possible to achieve their objectives without detection. Some APTs have been in operation for years, and RATs are crucial in enabling attackers to access targets while avoiding detection.
While RATs have been around for quite some time now, they have not risen in their popularity among malware. Considered complicated to develop and operate, RATs demand a high hacker skill set. This trend has seemed to change, as RATs have become more readily available and accessible, increasing the number of RAT victims who cannot detect and mitigate this malware threat with their security solutions.
RATs are cheap and commercially available
The two major factors contributing to the widespread use of RATs are their availability and affordability. For instance, a tool called Imminent Monitor Remote Access Trojan provided cybercriminals free access to the victims’ machines. It was clever enough to bypass anti-virus and malware detection software, carry out commands such as recording keystrokes, stealing data and passwords, and watching the victims via their webcams. All that could be done without the victim noticing.
It was possible to buy all this feature-reach, field-proven, easy-to-use package for as cheap as $25. Luckily, the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, were able to take down the RAT infrastructure and arrest several of the most prolific users of this RAT. The authorities arrested the developer and one employee of IM-RAT in Australia and Belgium in June 2019, and the tool, which was used across 124 countries and sold more than 14 500 times, is no longer available.
In Canada, a remote access tool for admin users was found to be a RAT. Its developer and business development manager, working from Toronto under the legal entity Orcus Technologies, was arrested. Law enforcement agencies stated that the duo sold and aided malicious actors to install the Orcus RAT on other people’s computers and ran a Dynamic Domain Server (DDNS) service that helped the malware communicate with infected hosts without revealing the hacker’s real IP address.
Innovative Infection Methods
Once cybercriminals get their hands on the RAT, they employ very creative ways to embed the malware on victims’ systems. Although the top infection method is still via a weaponized document received by email, other methods are unfortunately gaining in popularity, such as:
- Masquerading as the Tetris game,
- a hacking group used an open-source version of the 90s Tetris to hide PyXie RAT and infect organizations.
- Via Facebook
- a RAT named FlawedAmmyy infected military targets. Researchers found that a fake Facebook page impersonates an American-Libyan military officer named Khalifa Haftar focused on politics and the army. Also attached are URLs to download files stating they are leaks from Libya’s intelligence units, and lastly, some URLs were presented as legit sites for citizens to sign up for the army.
- The use of a fake WebEx meeting invitation.
Utilize RATs for several uses
Once installed, hackers have complete remote control over the victim’s system, which they can abuse in many ways. Some hackers use it to collect intelligence on military and diplomatic targets; others may obtain personal data, such as payment details of hotel guests.
RATs are capable, available, and overly affordable to hack into networks easily, which creates a challenge for organizations that need to secure themselves against this threat. Sadly, most existing prevention mechanisms will not identify the RAT and prevent infection because RATs know how to stay under their radar. Similarly, most endpoint security mechanisms and network/perimeter solutions will not help identify RATs.
LogPoint can identify RAT activity patterns, using advanced correlation rules and machine learning, and automatically respond to and mitigate the “low and slow” malware with LogPoint SOAR, using pre-configured playbooks. Click here to learn more about LogPoint SIEM, UEBA, and SOAR.