Introduction to RATs

Once a hacker has gained initial access to a target machine, expanding and solidifying that foothold is the next logical step. In the case of a phishing attack, this involves using malware to take advantage of the access provided by the email.

A common way of expanding this beachhead on the target machine is through Remote Access Trojans (RATs). This type of malware is designed to allow a hacker to remotely control a target machine, providing a level of access similar to that a remote system administrator. In fact, some RATs are derived from or based upon legitimate remote administration toolkits.

The primary evaluation criteria for a given RAT is how well they allow a hacker to accomplish their goals on the target computer. Different RATs are specialized for certain purposes, but many of the top RATs are designed to provide a great deal of functionality on a variety of different systems.

The top RATs

Many different Remote Access Trojans exist, and some hackers will modify existing ones or develop their own to be better suited to their preferences. Different RATs are also designed for different purposes, especially with RATs geared specifically to each potential target (desktop versus mobile, Windows versus Apple and so on).

Comparing different RATs across the board is like comparing apples to oranges. However, some RATs stand out from the rest within their particular areas of expertise.

1. The hacker’s choice: FlawedAmmyy

When trying to identify which malware variant is the most effective, it’s useful to take a look at what hackers are actively using. When it comes to RATs, FlawedAmmyy stands out as a clear modern favorite among hackers.

FlawedAmmyy is a RAT that was developed from the leaked source code of the Ammyy Admin remote administration software. It has been used in a variety of different malware campaigns but made history in October 2018 when it made CheckPoint’s list of the top 10 malware threats of that month. This was the first time that a RAT has made the list and was the result of a surge of malware campaigns pushing the RAT. However, the RAT continues to appear in incidents, being used by a variety of different hacking groups.

Since it was derived from a legitimate remote administration tool, FlawedAmmyy has a variety of built-in features. It provides a user with the ability to access the file system, capture screenshots and seize control of microphone and camera.

2. Free and open-source: Quasar

For those who what a free and open-source RAT (to avoid potential backdoors), Quasar RAT is widely recommended. Quasar is written in C# and is available on GitHub. It was first committed in July 2014 and has received active updates since.

Quasar is billed as a lightweight remote administration tool that runs on Windows. However, it also has a variety of functionalities designed for “employee monitoring” (i.e., useful for hackers as well). This includes keylogging, ability to open remote shells and downloading executing files. Its number of features and high stability (due to frequent updates) make it a popular choice.

3. Mobile access (iOS): PhoneSpector

In the mobile market, RATs are advertised as solutions to help parents monitor their child’s cellular use or for employers to monitor how their employees are using company-owned devices. There are iOS monitoring applications available that do not require jailbreaking of the target device.

One of these is PhoneSpector, which bills itself as being designed to help parents and employers but acts like malware. The software can be installed by getting the device owner to click on a link and enter a product key on their device. It then monitors the device while remaining undetectable to the user.

PhoneSpector offers the hacker the ability to monitor a wide variety of activities on the device. This includes monitoring phone calls and SMS messages (even those that were deleted) as well as app activity. PhoneSpector even provides a customer service helpline in case a hacker gets in a bind.

4. Mobile access (Android): AndroRAT

Android’s market share and security model mean that more malware has been developed for it. The same is true for Android RATs. However, one of the most famous Android RATs in existence is AndroRAT.

AndroRAT was originally developed as a research project demonstrating the ability to remotely control Android devices, but it has since been adopted by criminals. The original source code to the RAT is available on GitHub and provides a wide variety of features.

Despite the age of the source code (last update in 2014), AndroRAT continues to be used by hackers. It includes the ability to inject its malicious code into legitimate applications, making it easy for a hacker to release a new malicious app carrying the RAT. Its functionality includes all of the normal features of a mobile RAT including camera/microphone access, call monitoring and location tracking via GPS.

5. RAT for ICS: Havex

Malware targeting industrial control systems (ICS) is nothing new, with big names like Stuxnet and Industroyer designed to cause physical damage. However, some ICS-focused malware is targeted at controlling critical infrastructure.

Havex is a general-purpose RAT, but also has components specific to ICS systems. This includes scanning modules focused on ports used by Siemens and Rockwell Automation. The malware was also used in watering hole attacks focused on ICS, demonstrating that it is specifically engineered to target this sector.

Conclusion: Maintaining access

Remote Access Trojans fulfill an important function for hackers. Most attack vectors, like phishing, are ideal for delivering a payload to a machine but don’t provide the hacker with the ability to explore and interact with the target environment. RATs are designed to create a foothold on the target machine that provides the hacker with the necessary level of control over their target machine.

The five RATs described here all stand out for their ability to operate in a certain environment. A RAT specialized to the target environment is more likely to be able to accomplish its intended task without detection, making it far more valuable as a covert surveillance tool.

 

Sources

  1. October 2018’s Most Wanted Malware: For The First Time, Remote Access Trojan Reaches Top 10 Threats, Check Point
  2. FlawedAmmyy Malware Information, Trend Micro
  3. QuasarRAT, GitHub
  4. androrat, GitHub
  5. RATs Come to Android: It’s Scary, But You’re (Probably) Safe, PC Magazine

Be Safe

Section Guide

Howard
Poston

View more articles from Howard

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Howard
Poston

View more articles from Howard