Malware analysis

Malware spotlight: What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim’s machine. The RAT is very dangerous because it enables intruders to get remote control of the compromised computer. Attackers can use the exploited machines to perform various malicious activities such as installing and removing programs, manipulating files, hijacking the webcam, reading data from the keyboard, harvesting login credentials and monitoring the clipboard.

The malicious actors can also use your internet address as a front for malicious purposes. For example, viruses downloaded through a RAT have the ability to compromise other computers by impersonating you.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

In this article, we will explore the difference between RATs and keyloggers. We’ll also look at RAT types and the way RAT installs on computer, as well as the workings, detection and avoidance of a RAT.

How do RATs differ from keyloggers?

RATs often imitate keyloggers by allowing hackers to automatically collect keystrokes, user credentials, emails, browser history, screenshots and more. However, RATs differ from keyloggers in that they give attackers unauthorized remote access to a victim’s computer through a special setup of communication protocols, which are configured during the initial infection of the infected machine.

What are the most common types of RAT?

Back Orifice

Developed by the hacker group Cult of the Dead Cow, Back Orifice is one of the well-known examples of the RAT. This malware is specifically designed to discover security deficiencies of Windows operating systems. 

Saefko

In October 2019, researchers at Zscaler ThreatLabZ uncovered a new piece of RAT malware called Saefko. It can retrieve Chrome browser history in order to learn about information cryptocurrency-related activities.

CrossRAT

If you are using macOS, Windows, Solaris or Linux, you are more prone to CrossRAT, which is an undetectable type of RAT. Once a victim falls prey to the attack, his computer is remotely controlled by malicious actors who make it perform functions to their own liking, such as taking screenshots or/and stealing personal data.

Beast

Beast is another type of malware that mostly attacks Windows operating systems. It was developed in 2002 and is still in use to a large extent. Until recently, it attacked a series of operating systems ranging from Windows 95 to Windows 10. 

Beast uses a client-server architecture similar to Back Orifice, with a server part of the system being the malware that is surreptitiously installed on the victim machine.

Blackshades

Blackshades is an off-the-peg hacking tool that propagates the RAT by sending out links to infected web pages or/and social media contacts of the infected user. Upon successful installation, hackers install botnet functions that get the victim’s machine to launch Denial of Service (DoS) attacks. In addition, the infected computer can also act as a proxy server to route hacker traffic and hide other hacking activities.

Mirage

Mirage is the key RAT malware launched by APT15 (or Advanced Persistent Threats 15), which is a clandestine state-sponsored Chinese cyber-espionage group. Mirage attacked the government and military establishment of the UK in 2017 but was not made public until 2018.

APT15 infiltrates specific users through the employment of basic tools, which are then customized to conduct tailored data exfiltration once the computer has been compromised. A new and improved version of this malware is Mirage RAT, which was developed in June 2018.

How is the RAT installed on my computer?

RAT is often similar to other malware infection vectors. Hackers use various techniques to install a RAT on your computer. These techniques and methods are listed below:

• Users can be tricked to download malicious packages
• Users can be lured into visiting suspicious web links
• Crafted email attachments are sent to the target users
• RAT is delivered using files downloaded through torrents

Threat actors can install RATs either by gaining temporary physical access or via social engineering attacks.

How does a RAT work on my computer?

In the aftermath of a successful installation, RAT establishes a direct connectivity to the command-and-control (C&C) server, which is owned by the hackers, by using the predefined open TCP port of the compromised computer. The C&C server creates a remote communication on the victim’s machine. The RAT also has the ability to connect with one or more C&C servers run by the intruders. 

Once the remote connection is established, attackers can do anything they like on the victim’s machine. Malicious activities include capturing webcam feeds, logging keystrokes and downloading or uploading files.

Various RATs are available to establish an interactive C&C channel in order to target systems within the networks. These tools may include Go2Assist, LogMein, Team Viewer and AmmyyAdmin. These tools are also listed in MITRE’s ATT&CK matrix. 

MITRE is a nonprofit organization dedicated to solving cybersecurity problems. Since its inception in 1958, MITRE has been providing innovative, practical solutions for different sectors. 

To achieve its cybersecurity goal, MITRE published the MITRE ATT&CK list. This provides a globally-accessible knowledge base of adversaries’ tactics and techniques, based on the real-world observations. The MITRE ATT&CK can provide a foundation for the development of threat methodologies and models for the private sector, government use and the product/service community.

You can find detailed information about the MITRE ATT&CK here. 

How do I detect RATs?

Detecting a Remote Access Trojan is a difficult task because in most cases, they do not show up in the list of running tasks or programs on your computer. Moreover, your system will not be slowed. However, your internet speed will slow down as RAT uses your bandwidth to work. A RAT can infect your computer for a number of years if it goes unnoticed.

To get out of the RAT nightmare, using malware detection tools and antivirus scans can be helpful. 

How can a RAT be avoided?

There are a number of tools, techniques and best practices that can be used to avoid a RAT attack. Below is a detailed list of them: 

• Don’t download files from untrusted sources such as pornography sites or freeware software
• Always avoid opening email attachments from strangers or people you don’t know
• Don’t download games through malicious websites
• Install antivirus software and keep it patched and up-to-date
• Always keep your OS, web browsers and applications up-to-date and apply patches to all of them
• You should also avoid downloading torrent files if they are from unreliable sources
• Always lock public computers when they are not in use, and be cautious of telephone calls or emails asking you to install an application
• It is sometimes difficult to avoid a RAT because the attackers use a binder to link a RAT with legitimate executable programs, which hampers the detector from finding it. Though RATs don’t show up in running processes, using a task manager to look for unfamiliar or unknown processes is a good practice. If there are any strange files running in your task manager, then quickly remove them. If you don’t find any strange processes, then search for it on Google to get the answer
• Sometimes, a RAT is added to Windows startup directories and registry entries so that it can start automatic execution every time you turn on your system. The good news is that you can manually prevent this automatic execution by following this simple procedure::
• Press the Windows key + R key together
• Write the msconfig.exe command into the run box
• Press OK, and the System Configuration window will appear
• Click on the Startup tab and then open Task Manager. Check if there is a malicious Startup item
• If any suspicious program is there, you can make a decision after checking its legitimacy through an internet search
• Another good idea for removing suspicious applications from your computer is to use the “Add or Remove Program” option located in your control panel. If you notice any odd program on your computer, just uninstall it
• Since a RAT uses the bandwidth of your internet connection, it will ultimately slow down your internet speed. Therefore, poor internet speed may be an indication of RAT malware. If this is the case, quickly disconnect your internet. Doing so will prevent attackers from taking control of your PC, because RAT only works when the internet connection is active. After disconnecting the internet, you need to use a malware program such as Spy Hunter or Malwarebytes to exterminate a RAT
• If you are a company, then initiate a security training and awareness program to educate your employees about RATs and other malware. This program should include all best practices needed to stay safe

Conclusion

RAT malware works clandestinely. Hackers use the C&C server to establish connectivity and get remote, administrative control over the victim’s computer. RATs can be very dangerous if they go unnoticed. However, applying appropriate security controls and best practices can prevent hackers from compromising your computer. 

Sources

• Remote Access Trojan (RAT), Kaspersky
• RAT (remote access Trojan), TechTarget
• Researchers uncover a new piece of RAT malware that targets cryptocurrency users, The Next Web
• The 5 most destructive viruses of 2018 and are still in force today, Symantec
• APT15 Pokes Its Head Out With Upgraded MirageFox RAT, Threat Post
• Remote Access Trojan (RAT), Malwarebytes
• WHAT IS REMOTE ACCESS TROJAN? Hackers Terminal
• 10 Best RAT software detection tools – plus definitive guide with examples, Comparitech
• What is RAT Malware, and Why Is It So Dangerous? How-To Geek
• Remote Access Trojan (RAT) – How to Detect and Remove It?, UUFIX
• Remote Access Tools, MITRE