Computer Security - RAT’s
last update: 19 Nov. 2019
RAT’s are Remote Access Trojans
(RAT) is a specific type of malware that controls a system via a remote network connection. They are programs that gain unauthorised access to a victim’s computer. Often they mimic the behaviour of ‘keyloggers’, allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chats, etc. Remote Access Trojans differ from ‘keyloggers’ in that they give the attacker unauthorised remote access to the victim machine via specially configured communication protocols. This creates a backdoor and allows an attacker unfettered access, including the ability to monitor user behaviour, change computer settings, set IP ports, browse, copy and delete files, utilise bandwidth, access connected systems, etc. RAT’s can also access the access the microphone and record conversations, and many can turn on the Webcam and capture video (others can even include packet sniffers).
Remote Access Trojans are usually installed through specially crafted email attachments, web-links, download packages, games or .torrent files (sometimes through 'watering holes'). This is why users are always warned about the risks of clicking on email or site links to unknown locations, or installing software from unverified sources. RAT’s can be bound with legitimate software packages, and will execute in the background. They are often used along with ‘exploit kits’ for identifying vulnerabilities on servers and ‘droppers’ or Trojan’s that are designed to install malware.
On the other hand remote administration refers to any method of controlling a computer from a remote location, and is often used for routine maintenance and problem solving across a large network. Many RAT’s mimic the functions of legitimate control and remote access software such as LogMeIn or BOMGAR. This topic sounds banal, but for example, industrial control systems, process control systems, supervisory control and data acquisition (SCADA) and distributed control systems, are increasingly seen as security risks in critical infrastructure. So RAT’s are not just about gaining illicit access to domestic computers.
In 2015 hackers stole 21.5 million Americans social security numbers, residency and employment histories, as well as family, health, and financial histories. This included 1.1 million fingerprints, and usernames and passwords used during background checks at the US Office of Personnel Management. A few months earlier personnel data on 4.2 million current and former federal employees was stolen from the same agency. It’s believed that the Sakula Remote Access Trojan (RAT) was used for this attack (sakula is Japanese for cherry blossom). This RAT is used by Chinese advanced persistent threat (APT) groups Deep Panda and Aurora Panda (possibly named from the earlier Operation Aurora) to target victims in the aerospace, government, healthcare, and technology sectors.
Typical antivirus scanners are less likely to detect RAT's than worms or viruses because of binders and intruder encryption routines. Yet RAT's have the potential to cause significantly more damage than a worm or virus.
A clear clue to RAT infection is an unexpected open IP port on the infected machine, especially if the port number matches a known Trojan port.
With OS X there is the Network Utility app (find it using Spotlight) which permits users to scan for open TCP ports. NetStat gives you a detailed summary of packet types sent and received using common network protocols, and you can use sites such as SpeedGuide to check and test any open ports. Traceroute, Whois, and Finger are features of the Network Utility also worth looking at. For example, port 31337 is used by Back Orifice. In addition to looking for known Trojan ports, be highly suspicious of unknown FTP server processes (port 21) or Web servers (port 80). Also always beware of freeware programs, some may include spyware. If you really feel threatened have a look at the Network Intrusion Detection Tool Snort (and it also works with OSX).
There is a vast range of RAT’s in the wild, and once created most can be found with alternative names and in differing varieties. Just as an example in 2016 an Italian malware author called z3r0 was selling their new remote access Trojan Backdoor.Remvio in an underground forum. The price was between US$58 and US$389 in bitcoins depending on the license agreement. The malware came with an end user license agreement (EULA) that denied any responsibility if a third party used the software for malicious activity. This particularly small backdoor Trojan was written in C++ , and the builder and control panel was developed using Delphi. The control panel included the option to automate exfiltration (data theft). To my knowledge z3r0 was not even a minor player and Backdoor.Remvio never appeared in the wild.
On the other hand RAT’s such as Back Orifice and SubSeven, are all-in-one intruder toolkits that do everything including capture screen, sound, and video content. These Trojans are key loggers, remote controllers, FTP servers, HTTP servers, Telnet servers, and password finders. Intruders can configure the IP port the RAT’s listen on, how the RAT’s execute, and whether the RAT's contact the originator by using email, Internet Relay Chat (IRC), or another chat mechanism. More malicious RAT’s can contain rogue mechanisms that hide the Trojans by encrypting communications and some have professional-looking API's so that other intruder developers can insert additional functionalities. These RATs’ aggressive functionality makes them larger and possibly easier to detect.
SubSeven - This RAT, from as early as 1999, is always near the top of antivirus-vendor infection statistics (even in 1999 it had key logging). This Trojan functions as a key logger, packet sniffer, port redirector, registry modifier, and microphone and Webcam recorder. SubSeven uses ICQ, Internet Relay Chat (IRC), email, and even Common Gateway Interface (CGI) scripting to contact the originating intruder, and it can randomly change its server port and notify the intruder of the change. The key is to understand how it works. SubSeven is usually sent as a program that you think you want. It almost always has a .exe extension and it will often be disguised as an installation program, such as Setup.exe. When this program runs, it will usually return a "Failed" error message, but it can sometimes do something, such as play a game or appear to install the software.
Back Orifice - The Cult of the Dead Cow created Back Orifice in August 1998. The program raised the bar for RAT's by adding a programming API and enough new features to make legitimate programmers jealous. Back Orifice 2000 (BO2K), released under the GNU General Public License (GPL), has attempted to gain a following with legitimate users and compete against programs such as pcAnywhere. But its default stealth mode and obviously harmful intent means the corporate world is unlikely to embrace it anytime soon. Using the BO2K Server Configuration utility an intruder can configure a host of server options, including TCP or UDP, port number, encryption type, stealth activities, passwords, and plugins. Back Orifice has an impressive array of features that include keystroke logging, HTTP file browsing, registry editing, audio and video capture, password dumping, TCP/IP port redirection, message sending, remote reboot, remote lockup, packet encryption, and file compression. The program comes with a software development kit (SDK) that extends its functionality through plugins. In this case the small (122 kB) server application must be installed on the target machine by tricking the victim. The client (on the attackers machine) then can communicate with the server on the compromised machine.
There are a multitude of other RAT's/Trojan's such as Poison-Ivy, HesperBOT, ProRat, KiW0rm, Havex, Turkojan, Agent.BTZ/ComRat, CyberGate, DarkComet, Optix, AlienSpy, and Trochilus, just to name a few. An analysis of the use of Poison-Ivy in 2011 showed that it was using 147 domains and 165 IP addresses. This type of RAT requires direct, real-time human interaction suggesting that the threat actor is actually interested in their specific target. In this particular case Poison-Ivy was installed on the target computing exploiting a zero-day flaw. Although linked to China, it has also been used from the Middle East in an attack on Israelis and Palestinians (as well as the US and UK governments). These attacks have been linked to the Molerats.
We have not to forget that in the first 6-months of 2017 there were around 480 billion malicious attacks recorded, served from nearly 80 million different Websites. Trojan-ransom attacks on mobile users has gone through the roof (usually banker installation packages or ransomware). And nowhere is safe. At least 30 new Trojans from the Ztorg family were found in the official Google Play Store. This family had already appeared in 2016 as fake guides to Pokémon GO, which was downloaded more than 500,000 times. Ztorg gains superuser privileges, installs its modules into the system folders, can reset to factor settings, and then downloads ads and buy apps. Other versions are distributed by SMS spam. Latest versions will hunt out user’s call history, contacts, and GPS location.
Xafecopy has been linked to Ztorg. This is a kind of RAT that attacks the Android operating system. As a malware it is embedded in a variety of apps, such as a battery optimiser. The app once loaded then clicks Webpages that use WAP billing and it subscribes the phone to services that charge money directly to the user’s mobile phone bill. The app receives the WAP billing URL’s through a command-and-control server.
If you like to take a look at digital attack maps, have a look at this page on Secure Idées which points to sites such as map.httpcs.com.
Some videos about RAT’s to check out.