Sniffing out a RAT, or remote access Trojan, can be challenging for even the most prepared cyber defender. Cyberattackers continue to evolve their products and tactics to infect corporate systems as cybersecurity companies like Infoblox become increasingly aware of their tactics.
Here’s an overview of this type of malware, how it works, and how organizations can stay protected online.
What is a RAT (remote access Trojan)?
A remote access Trojan (RAT) is a dangerous malware program that enables covert surveillance or unauthorized access to any victim’s computer or network anywhere in the world. Unlike legal remote administration tools, RATs are typically installed onto a computer or network without the victim’s knowledge. They are primarily distributed through email attachments or user-requested program downloads, such as games. This backdoor gives an attacker complete control over that computer or network, making it possible for an intruder to monitor user behavior, access and exfiltrate sensitive information, establish a botnet, take screenshots and more.
Common RATs to Hunt
Many RATs have been dominating cybersecurity headlines recently. These are just some of the well-known RATs observed by Infoblox’s Cyber Intelligence Unit.
Remcos (remote control and surveillance) RAT emerged in 2016 and is still widely used by cybercriminals today. The Infoblox Cyber Intelligence Unit recently observed Remcos being distributed via phishing email using a simplified delivery tactic. Remcos has advanced surveillance and capabilities, including ScreenLogger, audio capture, and webcam capture. It’s a popular choice for targeting Windows operating systems because it is easy for threat actors to use and control.
Infoblox Cyber Intelligence Unit recently observed a malicious email campaign that distributed the new AndroMut malware downloader, which then dropped the FlawedAmmyy RAT to targeted victims in South Korea. Spam emails, mostly written in Korean, were sent out referencing financial quotes or invoices and carrying an attached .doc or .xls file. Once the file opened and macros were enabled, the file downloaded AndroMut, which then downloaded FlawedAmmyy. The FlawedAmmyy RAT has also been used since at least 2016, allowing threat actors to gain access to infected computers and steal credentials, files, and other data.
Infoblox also observed a malicious email campaign distributing the Adwind RAT. These emails spoofed a notification about a commercial invoice and referenced “images of shipping documents,” while containing a malicious JAR file attachment. Adwind is a Malware-as-a-Service (MaaS) platform that first appeared in 2012. It can log keystrokes, access webcams and record video, steal cryptocurrency wallet keys and VPN certificates, download and execute files, and more. Because it is a Java-based malware, Adwind can run on any operating system that supports Java Runtime Environment.
Detecting and Exterminating RATS
RATs are typically downloaded invisibly through malicious email campaigns, web links, download packages, games or .torrent files. They are covert by nature and may prevent identification of the software using a randomized filename/path structure.
Infoblox protects organizations wherever they’re deployed using a unique hybrid approach. Hybrid security gives enterprises the power to leverage the cloud to detect more of today’s most dangerous threats while integrating with the on-prem system. Organizations benefit from streamlining and automating their security operations and scale for future growth using the security tools they already have.
Learn more about Infoblox’s Cyber Intelligence Unit and stay up to date on the latest threat intelligence news here.