The Chinese Lunar year 2020 is the Year of the Rat, and people born in the Year of the Rat are supposed to be optimistic and likable. But in cybersecurity, RAT (Remote Access Trojan) stands for the opposite of likable: a nasty tool leveraged by bad actors. For many years, RATs have been used as a means to control victims’ computers remotely and surreptitiously. The sneaky RAT can access computer users’ files and hardware resources like webcams and microphones, as well as function as a keylogger, data stealer and springboard for launching other malware attacks. Worse, use of RATs in attacks against the enterprise is on the increase. In this post, we take a look at the latest developments in the use of Remote Access Trojans.
Sometimes referred to as a “remote administration tool” due to their similarity to legitimate IT admin tools like TeamViewer and LogMeIn, a remote access trojan is essentially a hidden backdoor into another user’s computer. This backdoor gives the person operating the RAT a whole range of different functions that can be used for malicious purposes, depending on which particular RAT platform they’re utilizing.
Some well-known RATS from the past and present include:
Like genuine tools used by organizations to manage endpoints remotely, RATs give their operators powerful control over the system they are installed on. The difference, of course, is that a RAT is both hidden and unwanted.
As with most malware infections, RATs typically come through malspam, phishing and spearphishing campaigns. For example, a user may receive a phishing email carrying a malicious pdf or Word document, or the mail may contain a URL that takes the victim to a webpage for a fake software plugin and a message that a required tool is missing or needs updating. Adobe Flash, Adobe Reader and similar popular products are often spoofed for just this kind of trick due to their wide adoption across platforms.
Other threat actors have been more creative. For example, hackers have hidden the PyXie RAT in a Tetris game, used Facebook to deliver FlawedAmmyy RAT, and have even used a fake WebEx meeting invitation to infect an unsuspecting victim.
For your organization, the main danger with RATS is that they make illegitimate use of perfectly legitimate functionality that your admins need. No modern business can run an effective IT support service without the ability to remotely login to users’ computers for troubleshooting and other support tasks. RATS piggyback on the same remote access services that legitimate tools like TeamViewer use, exploiting Windows Remote Desktop (RDP) and TCP networking protocols to install a backdoor to the attacker’s own machine.
In the eyes of legacy AV suites, such activity may not seem suspicious at all. This ability to blend in with normal or expected traffic can allow a RAT to go undetected for months or years, which makes the RAT a perfect tool for all kinds of malicious actors, from APT and nation-state hackers to criminals looking for financial reward.
A RAT’s primary objective is to operate without the target’s awareness. While there’s certainly been cases of “lone wolf” actors targeting individuals and organizations and remaining undetected for over a decade, until recently the main threat to enterprise from RATs came from APT campaigns, including those targeting the most sensitive of installations such as a nuclear power plant in India (targeted by the DTrack RAT), oil and gas companies in the Middle East, telecoms across Africa and Asia (DanBot RAT), government agencies around the globe (Calypso RAT), and most recently an energy-sector organization in Europe (PupyRAT).
Using these RATs, hackers were able to take complete control over victims’ machines, gain access to entire networks, exfiltrate troves of sensitive corporate data and avoid detection until after they had realized all their goals.
While RATs have long been a popular tool for advanced targeted attacks, a new trend has emerged over the last 18 months or so. In this time, RATs have become more prevalent and now appear to be attractive to financially-motivated hackers. This has led to an increase in the number of RAT victims, who are unequipped to detect and mitigate this malware threat. This rise is in large part due to the fact that RAT developers have made their malware less expensive and more readily accessible. As a result, more criminals have started experimenting with these tools, and with this proliferation, the number of infected victims has risen.
A recent example of a RAT becoming a commercial, “off the shelf”? tool for criminals in this way was the Imminent Monitor? Remote Access Trojan (IM-RAT). IM-RAT provided cybercriminals easy access to victims’ machines. It was clever enough to bypass legacy anti-virus and malware detection software, carry out commands such as recording keystrokes, steal data and passwords, and watch victims via their webcams – all for a measly $25 per license. This made IM-RAT very popular, very fast. IM-RAT was used in 124 countries and sold to more than 14,500 buyers before being taken down by a joint action of the Australian Federal Police (AFP), Europol and Eurojust.
But price alone is not the only reason RATs have grown in popularity. RATs are very versatile, and their use is limited only by the imagination of those who develop and deploy them. They have been used to collect payment card details, to collect military and diplomatic intelligence, to grab the personal details of hotel guests and even to satisfy the sexual needs of voyeurs.
In the past, RATs were difficult to develop and required a high degree of proficiency to operate. They were anything but “fire-and-forget”? tools. They required threat actors to invest time and effort in inserting the malware into victims’ systems, manually operate the connection and then carry out whatever nefarious activities they had planned. As we have seen, things have changed more recently, and like other crimeware such as ransomware as a service, malware developers have seen and grasped the opportunity to make profit by selling easy access to tools that others do not have the skill to make for themselves.
For defenders, the increase in RAT activity means there is both a requirement to stop attacks dead at the initial stage, and to have visibility over your entire network to detect any threats that might have escaped your first layer of security. Implementing firewall control and network traffic policies can help you monitor and block unwanted connections and ports that will help thwart attackers.
Aside from that, disable Remote Desktop Protocol (RDP) and any similar remote access protocols across your fleet where they are not needed. Except for machines that require a constant remote connection, endpoints are typically better off only enabling RDP and similar services on a temporary “as needed” basis.
Researchers have noted that 2019 was a watershed year in the history of RATs, when, for the first time, they became a common weapon in the arsenal of financially-motivated hackers. It is highly likely that the popularity of RATs will increase in 2020, making it both the Lunar and the Cyber year of the Rat. Fortunately, a trusted next-gen behavioral AI security solution like SentinelOne can identify and block RATs both on installation and during execution. If you’d like to learn more about how SentinelOne can protect your organization, contact us today or request a free demo.