24. November 2020
White rats are easy to tame. The same can not be said about black rats, especially if we talk about RATs belonging to black hat hackers.
In this blog post, we’re concentrating on Remote Access Trojans, malicious software that effectively grants attackers a backdoor and asserts administrative control on the targeted computers.
RATs don’t just come around your machine out of nowhere. They require some user interaction, whether we talk about downloading malicious software packages or email attachments.
Once the target machine is infected, the attacker spreads the digital disease to other vulnerable computers. Repetitive infection and spread creates a botnet ‒ a horde of zombie-computers under hacker’s control.
Fear of RATs, as well as musophobia, is perfectly understandable.
Since these trojans gain admin control on the infected computers, the intruders can do anything malicious one can imagine. To be more specific, the attackers can monitor user activity, record keystrokes, access confidential information, turn on the webcam to record video, capture screenshots, format drives, and finally delete or modify system files.
To the surprise of nobody, RATs are sneaky. They are hard to detect, as they usually do not show up on the list of running programs. More than that, intruders can manage the level of resource use to avoid alerting the user about the infection. Plus some of the RATs can be managed through Telegram, which underlines how easy hackers can control them.
RATs are primarily designed to maintain long-term control and gain intelligence on the target.
Remote access trojan attacks mostly concern financial and bank employees.
The attackers often host their payloads using Google Cloud Storage as a way to bypass security controls built into security products.
Basically, RATs are put in the cloud to appear like harmless sheep.
Sometimes cyber criminals choose to use malicious links instead of attachments, as malware uses both the email and the web to infect victims. In the campaign mentioned above, malicious .zip and .gz files were used instead, for example. RATs can be different both in their functionality and deployment tactic.
“Many email security products can detect malicious attachments, but identify malicious URLs only if they are already in their threat repositories.”
According to Vinay Pidathala, director of security research at Menlo Security, “a compromised machine inside an enterprise network has a wide-ranging business impact, which could be anywhere between loss of personally identifiable information to potentially much more damaging consequences like exfiltration of intellectual property.”
The financial sector companies are the favorite targets of Remote Access Trojans (RAT), but they are not the only ones who are harmed by this malware.
When Advanced Persistent Threat groups take to the “rat races,” this type of trojan turns political.
Thanks to their covertness, RATs can be used to target their own homelands or outreach and pillage the neighboring countries, whatever interests state-backed hackers the most. One example of ATP using RATs can be found in Columbia.
APT-C-36 or “Blind Eagles” used RAT to infect government agencies to steal their trade secrets. The RATs allowed hackers to control servers remotely as administered users, and target many corporations from the oil and financial industries from April 2018.
This APT posed as Chevron, Energizer, Abbott Laboratories, and auto insurance provider Progressive and the Colombian National Civil Registry to get more clicks on their phishing campaigns.
By the way, they got their name for attacking the National Institute for the Blind.
Despite hearing all about the cyber threats, most potential targets turn the blind eye on this problem, preferring to ignore it instead of taking a proactive approach.
RAT protection procedures are fairly similar to guarding your systems from other types of malware.
Some of the most critical defensive duties are the following:
To expand on the third point, you may consider StealthMail as an anti-RAT measure on the email front. It allows your company to maintain a secure email communication without using email traditionally.
StealthMail retrieves email content at the moment of its creation, encrypts the content and attachments, and puts data to the protected company storage. The solution does not facilitate the transfer of confidential information over the SMTP protocol and vulnerable public email servers. Traditional email is only used to deliver Stealth Links. When you have StealthMail, attackers can no longer rely on spoofing.
StealthMail solution uses an existing email account, and it does not interfere in the current email infrastructure. StealthMail works without disrupting the traditional email protection solutions (NGFW, Sandbox, Email Appliance), complimenting them instead.You can find out more about StealthMail’s data protection strategy at StealthMail.com.
Link in die Zwischenablage kopiert!