WatchPoint Security Blog

RATs Everywhere

Written by Jordan Kadlec | November 16, 2016

Remote Access Trojans, or RATs for short, are malicious programs that run invisibly on host PCs and permit an intruder remote access and control. On a basic level, many RATs mimic the functionality of legitimate remote control programs but are specifically designed for stealth installation and operation. Typically, RATs are delivered via drive-by-downloads or phishing campaigns. RATs are commercially available via the Black Web and have become extremely popular with beginners and veteran cybercriminals alike.

What are RATs used for?

Cybercriminals using RATs have the ability to explore a particular machine or send a broadcast command that instructs all the Trojans under their control to work in a symphonic effort to spread or do more damage. One predefined keyword can instruct all the exposed machines to format their hard drives or attack another host. Hackers often use RATs to take over as many machines as possible in order to coordinate a Distributed Denial of Service (DDoS) attack. RATs also have the following capabilities: 

  • Collect system information: hardware ID, client name/campaign mode, computer name, operating system, webcam presence, etc.
  • File Manager: download, rename, delete, execute
  • Remote Desktop capture/screenshot
  • Keylogger
  • Collect password filled in forms from web browsers
  • Webcam and microphone access
  • Run remote applications or scripts from disk or internet
  • Update RAT from disk or internet
  • Close connections
  • Uninstall RAT

With all of these capabilities, the access hackers have is limitless. First, the ability to capture every screen and keystroke means that hackers can gather passwords, medical records, bank account and credit card information, and personal communications. If you have a webcam and/or microphone, RATs can turn them on and capture any conversation or video within the range of your PC. On top of using RATs to infect other machines, hackers can also use the remote access capability to send an email on behalf of the user, modify important documents, and even execute stock trades.

Although RATs have been in the arsenal of cybercriminals for some time, they continue to be very challenging to detect. RATs open legitimate network ports on the infected machines which is a very common operation. Thus, it appears benign to most security products. They also mimic legitimate commercial remote tools. Lastly, RATs perform precise operations that do not resemble common malware techniques.

Aftermath

RATs have the potential to collect vast amounts of information about users of an infected machine. Because of binders and intruder encryption routes, typical antivirus scanners are less likely to detect RATs as opposed to other types of malware. The best way to combat RATs is to use a proven antivirus scanner and ensure that all your programs are up-to-date. These scanners detect most RATs and then automatically remove the malware.

If a RAT is found on your system, the first thing you should do is disconnect your PC from the internet. As mentioned above, hackers often use RATs to infiltrate other systems. If your work PC becomes infected, this could lead to a company-wide, catastrophic event. Next, using a clean computer, users should immediately update all usernames and passwords, and notify the appropriate administrator of the system of the potential compromise. Over the next couple of months, monitoring credit reports and bank statements should become a habit, to spot any suspicious activity in your financial accounts. Hackers will often hold on to personal information in hopes that you forget about the RAT you had in your house a couple of months ago.

As we mentioned before, RATs are typically distributed through phishing campaigns. It is important to remember that you should never click on an email attachment or website link from unknown senders or locations. Users have and always will be the weakest link in the cybersecurity chain.