What is Remote Access Trojan (RAT)?
A remote access Trojan (RAT) is a malware program that opens a backdoor, enabling administrative control over the victim’s computer. RATs are typically downloaded together with a seemingly legitimate program, like a game, or are sent to the target as an email attachment. Once the attacker compromises the host’s system, they can use it to distribute RATs to additional vulnerable computers, establishing a botnet.
RAT can be deployed as a malicious payload using exploit toolkits such as Metasploit. After a successful installation, RAT achieves direct connectivity to the command-and-control (C&C) server, controlled by the attackers. The attackers accomplish this using the predefined open TCP port on the compromised device.
Because RAT provides administrative control, the attacker can do almost anything on the victim’s computer, for example:
- Monitor user behavior via spyware or keyloggers
- Access sensitive details, including social security numbers and credit card
- Activate a system’s recording video and webcam
- Take screenshots
- Distribute malware and viruses
- Format drives
- Download, alter, or delete files and file systems
Why are Remote Access Trojans Dangerous?
Cybersecurity teams often have difficulty detecting RATs because they generally don’t appear in running tasks or programs lists. RATs commonly perform actions similar to those of valid programs. Also, an attacker will manage the level of resource use so that there is no drop in performance, making it more difficult to notice the threat.
Here are several ways a RAT attack can endanger individual users, organizations, or even entire populations:
- Spying and blackmail—an attacker who deploys RAT on a user’s device gains access to its cameras and microphones. They can take photos of the user and their environment, use it to conduct more sophisticated attacks, or to blackmail the user.
- Launching distributed denial of service (DDoS) attacks—when attackers have RATs deployed on a large number of user devices, they can use these devices to flood a target server with fake traffic. Users are commonly unaware that their devices are used for DDoS, although an attack can result in network performance degradation.
- Cryptomining—attackers can use a RAT to mine Bitcoin or other cryptocurrency on a user’s computer. By scaling their operation across a large number of devices, they can generate significant earnings.
- Remote file storage—attackers can leverage RAT to store illegitimate content on the devices of unsuspecting victims. This way, authorities cannot shut down the attacker’s account or storage server, because their data is stored on devices belonging to legitimate users.
- Compromising industrial systems—attackers can use RAT to take control of large-scale industrial systems, including public utilities like water and electricity. The attacker can sabotage these systems, causing widespread damage to industrial machinery, and potentially disrupting critical services to entire areas.
Common Remote Access Trojans
Sakula is a seemingly benign software with a legitimate digital signature, yet it allows attackers complete remote administration capabilities over a machine. Uses simple, unencrypted HTTP requests to communicate with its control server. It leverages the mimikatz password stealer to perform authentication using a pass the hash technique, which reuses operating system authentication hashes to hijack existing sessions.
KjW0rm is a worm written in VBS, which makes it difficult to detect on Windows machines. It also uses obfuscation to avoid detection by antivirus. It is silently deployed and then opens a backdoor that lets attackers take full control over a machine and send data back to the C&C server.
Havex is a RAT that targets industrial control systems (ICS). It grants attackers full control over industrial machinery. Havex uses several mutations to avoid detection and has a minimal footprint on the victim device. It communicates with the C&C server over HTTP and HTTPS.
Agent.BTZ/ComRat (also called Uroburos) is another RAT targeting ICS, which is thought to have been developed by the Russian government. It is deployed via phishing attacks, and uses encryption, anti-analysis and forensic techniques to avoid detection. It provides full administrative control over an infected machine, and can exfiltrate data back to its C&C server.
Dark Comet was first identified in 2011 and is still actively used. It grants full administrative control over infected machines, and can disable Task Manager, firewall, and user access control (UAC) on Windows machines. Dark Comet uses encryption to evade detection by antivirus.
AlienSpy is a RAT that targets Apple OS X and macOS platforms. It collects information about the target system, activates the webcam, and securely connects to the C&C server to enable complete control over the machine. AlienSpy uses anti-analysis techniques to detect the presence of virtual machines.
The Heseber BOT is based on VNC, a traditional remote access tool. It uses VNC to provide remote control over the targeted machine and transfer data to the C&C server. However, it does not grant administrative access over the machine unless the user has those permissions. Because VNC is a legitimate tool, Haseber cannot be detected by many antivirus tools.
Sub7 is a RAT that operates in a client-server model. The server is the component deployed on a victim machine, and the client is a GUI used by the attacker to control the remote system. The server attempts to install itself into the Windows directory. Once deployed, Sub7 enables webcam capture, port redirects, chat, and provides an easy-to-use registry editor.
Back Orifice is a remote access program for Windows, supporting most versions since Windows 95. It is deployed as a server on a target machine, which has a small footprint, and allows a GUI-based client operated by an attacker to gain complete control over the system. It can be used to control multiple computers in parallel using imaging techniques. The server communicates with its client via TCP or UDP. It typically runs on port 31337.
Defending Against Remote Access Trojans
Here are a few ways you can defend your organization against the risk of RAT malware.
A RAT defense strategy is reliant on organization-wide security awareness training. Human error is the fundamental cause of most security events, and RAT is no exception. Attackers typically execute this malware via infected attachments and links in phishing campaigns. Employees must be vigilant, so they don’t unintentionally infect the company network.
Strict Access Control Procedures
RATs are commonly used to compromise administrative credentials, providing attackers access to valuable data on the organization’s network. With tight access controls, you can restrict the fallout from compromised credentials. Stricter controls involve implementing two-step verification, stricter firewall configurations, whitelisting IP addresses for authorized users, and using more advanced antivirus solutions.
Secure Remote Access Solutions
Attackers view each new endpoint that connects to your network as a potential system to compromise using RAT. Organizations should only allow remote access via secure connections created with virtual private networks (VPNs) or hardened, secure gateways to minimize the attack surface. In addition, you can use a clientless remote access solution that does not need additional plugins or software on end-user devices as these devices are targets for attackers.
Zero-Trust Security Technologies
Zero-trust security models have grown in popularity because they promote “never trust, always verify.” Instead of granting administrative credentials for complete access across the network, the zero-trust security approach grants granular control over lateral movements. This is critical to mitigating RAT attacks, because attackers use lateral movements to infect additional systems and access sensitive data.
Focus on Infection Vectors
RATs, like all malware, are only a threat if they are installed and implemented on a target computer. Using secure browsing and anti-phishing solutions and consistently patching systems can minimize the likelihood of RATs. These solutions make it harder for RATs to infect a computer to begin with.
Look for Abnormal Behavior
RATs are trojans that can present as legitimate applications. RATs typically comprise malicious functionality connected to a real application. Monitor applications and systems for unusual behavior that may indicate a RAT.
Monitor Network Traffic
An attacker can use a RAT to remotely control an infected computer via the network. A RAT deployed on a local device communicates with a remote command and control (C&C) server. Look for unusual network traffic connected to such communications, and use tools like web application firewalls (WAF) to monitor and block C&C communications.
Implement Least Privilege
The concept of least privilege states that applications, users, systems, and the like, should only have the permissions and access required to do their job. Using least privilege can help restrict what an attacker can do using a RAT.
Deploy Multi-Factor Authentication (MFA)
RATs typically attempt to steal passwords and usernames for online accounts. Using MFA can minimize the fallout if an individual’s credentials are compromised.
RAT Protection with Imperva
Imperva’s Web Application Firewall can prevent RAT from being deployed on your network, and can cut off RAT communication with C&C servers after deployment.
Beyond malware protection, Imperva provides comprehensive protection for applications, APIs, and microservices:
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.