Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/28/2015
11:30 AM
Udi Shamir
Udi Shamir
Commentary
0%
100%

The 7 ‘Most Common’ RATS In Use Today

Sniffing out RATS -- remote access Trojans -- is a challenge for even the most hardened cyber defender. Here's a guide to help you in the hunt.

Earlier this month, the Office of Personnel Management reported that 21.5 million Americans had their social security numbers and other sensitive data stolen in the second breach to OPM’s background check database. In the wake of this massive breach, OPM Director Katherine Archuleta has resigned. It’s believed that the Sakula Remote Access Trojan (RAT) was associated with this attack.

RATs are very common and designed to provide the attacker with complete control over the victim's system. They can be used to steal sensitive information, to spy on victims, and remotely control infected computers. RAT infections are typically carried out via spear phishing and social engineering attacks. Most are hidden inside heavily packed binaries that are dropped in the later stages of the malware’s payload execution.

Although RATs have been a mainstay in cyber attackers’ tool kits for some time, they continue to be very challenging to detect for the following reasons:

  • They open legitimate network ports on the infected machines. Since this is a very common operation, it appears benign to most security products.
  • They mimic legitimate commercial remote administration tools.
  • They perform very surgical operations that do not resemble common malware techniques.

Here’s a rundown of seven of the most common RATs in use today:

RAT 1: Sakula is believed to be associated with the recent OPM attack. It is signed, looks like benign software, and provides the attacker with remote administration capabilities over the victim machine. Sakula initiates simple HTTP requests when communicating with its command and control (C&C) server. The RAT uses a tool called “mimkatz” to perform “pass the hash” authentication, which sends the hash to the remote server instead of the associated plaintext password.

RAT 2: KjW0rm is believed to be associated with the recent breach of TV stations in France. KjW0rm was written in VBS, which makes it even harder to detect. The Trojan creates a backdoor that allows the attacker to take control of the machine, extract information, and send it back to the C&C server. (For more information about KjW0rm read this SentinelOne blog.)

RAT 3: Havex targets industrial control systems (ICS). It is very sophisticated and provides the attacker with full control over the infected machine. Havex uses different variants (mutations) and is very stealthy. The communication with its C&C server is established over HTTP and HTTPS. Its footprint inside the victim machine is minimal.

RAT 4: Agent.BTZ/ComRat is one of the most notorious and well known RATs. Believed to be developed by the Russian government to target ICS networks in Europe, Agent.BTZ (also known as Uroburos) propagates via phishing attacks. It uses advanced encryption to protect itself from analysis, provides full administration capabilities over the infected machine, and sends extracted sensitive information back to its C&C server. Agent.BTZ uses advanced anti-analysis and forensic techniques.

RAT 5: Dark Comet provides comprehensive administration capabilities over the infected machine. It was first identified in 2011 and still infects thousands of computers without being detected. Dark Comet uses Crypters to hide it existence from antivirus tools. It performs several malicious administrative tasks such as: disabling Task Manager, Windows Firewall, and Windows UAC.

RAT 6: AlienSpy targets Apple OS X platforms. OS X only uses traditional protection such as antivirus. AlienSpy collects system information, activates webcams, establishes secure connections with the C&C server, and provides full control over the victim machine. The RAT also uses anti-analysis techniques such as detecting the presence of virtual machines.

[Read how a remote access Trojan played into the mysterious death of an Argentinian prosecutor in AlienSpy RAT Resurfaces In Case Of Real-Life Political Intrigue.]

RAT 7: Heseber BOT deploys Virtual Networking Computing  (VNC) as part of its operation. Since VNC is a legitimate remote administration tool, this prevents Heseber from being detected by any antivirus software. Hesber uses VNC to transfer files and provide control over the infected machine.

 

Detecting RATs is very difficult due to the fact that they resemble commercial remote administration software. Meanwhile, traditional protection mechanisms that rely on static signatures are typically unable to detect new RAT variants. Monitoring system processes to detect the execution of malicious activity has proven to be an effective approach for sniffing out a rat.

 

Ehud "Udi" Shamir is Chief Security Officer for SentinelOne and leads the company's research and forensic group. Udi also oversees product innovation and development. He joined SentinelOne from Check Point Software. Udi has more than 18 years of experience in security, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Annesmith
50%
50%
Annesmith,
User Rank: Apprentice
5/23/2019 | 9:08:25 PM
Rats
I was unwise to leave my laptop in the same room as my previous boss. Unbeknowst to me, he had replicated the laptop and let the RATS loose. He commenced for three years to infect every laptop, bluetooth device, tablet..you get it...with a combo of undetected RATS. My question is this..i work for a large well known retailer, and my work pc has been affected. The system is on a very large network..how do i let corporate know without playing the computer "know nothing?"
theb0x
50%
50%
theb0x,
User Rank: Ninja
8/31/2015 | 4:38:58 PM
Re: DarkComet RAT
I remember the days of Back Orfice 2000 and SubSeven and their modules. RATs have been around for a long time.

Detection was difficult then, and it still to this day the capability to detect RATs effectively has made little to no progress.

The focus has geared more towards the heuristic analysis of network traffic rather than the detection of RAT code itself.

Today a simple triple encode using Meterpreter for example can result in the payload dropping directing into RAM undetected.

 

 

 
theb0x
50%
50%
theb0x,
User Rank: Ninja
8/31/2015 | 9:14:39 AM
RATS
Nuclear RAT is still widely used and very easy to operate. I am surprised this did not make the list.
DarkCoderSc
50%
50%
DarkCoderSc,
User Rank: Apprentice
8/28/2015 | 5:31:33 PM
DarkComet RAT
Not only RAT's are hard to detect, any malicious programs are when the hacker behind can buy / code their own material to make it stealth and undetected.

I have code a poly crypter few years ago for my official penetration testing and still can make undetectable any programs including of course RAT's / Viruses / Worms etc..


btw great article!

 

Thx
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...