Remote Access Trojans: Rats In System

Different RATs have varying levels of complexity in their capabilities of monitoring and controlling infected devices. Usually, a remote access trojan will initialize the connection to a command and control center (C2). The C2 connects the machine to the hacker’s own. This will allow a hacker to send a number of commands back to the RAT, which will then execute on the host machine.

These commands can disable antivirus, obfuscate the presence of the RAT, record images or videos, execute code remotely, and much more.

Though remote access trojans can be fully featured in their own right, they often have additional functionality and can act as a foothold in an infected system. For example, RATs can be used to deploy additional malware, such as a keylogger or ransomware. They may often act as a ‘doorway’ to the machine, and access can be rented to other hackers.

A remote access trojan can give attackers a high level of access to an entire network, making them fatal to homes and businesses.

Cuba Ransomware Gang Add RAT Functionality

The Cuba Ransomware operation has begun implementing a number of new tools in its stack, including RAT (remote access trojans) and a local privilege escalation tool.

The threat actor behind the upgrades is affiliated with Cuba Ransomware, and has been named ‘Tropical Scorpius’ by researchers at Unit 42.

The Ransomware already saw an update during the first quarter of this year, which included an updated encryptor with more complex options.

These new updates, especially the addition of a remote access trojan, make the ransomware much more dangerous.

Aside from the RAT and other updates, Tropical Scorpius uses the standard build of Cuba Ransomware.

One of the new techniques include using legitimate but invalidated NVIDIA certificates. These were stolen and leaked a number of months ago.

Tropical Socrpius than uses a local privilege escalation tool that features an exploit for CVE-2022-24521. This exploit was a zero-day discovered in April 2022.

The hackers will then move laterally across the network, and at this stage can also steal Kerberos credentials.

Lastly, Tropical Scorpius deploys the ROMCOM RAT, a previously unseen remtoe access trojan. This RAT handles C2 communications via ICMP requests through Windows API functions.

ROM RAT takes the following commands:

• Return connected drive information
• Return file listings for a specified directory
• Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder
• Upload data to C2 as ZIP file, using IShellDispatch to copy files
• Download data and write to worker.txt in the %ProgramData% folder
• Delete a specified file
• Delete a specified directory
• Spawn a process with PID Spoofing
• Only handled by ServiceMain, received from C2 server and instructs the process to sleep for 120,000 ms
• Iterate through running processes and gather process IDs

Unit 42 noted that Tropical Scorpiuts compiled the latest version of the RAT on June 2022, and uploaded it to VirusTotal.

The second version added more commands, giving the malware more advanced operations. This version is also able to take screenshots, along with other features.

Webworm Resurrects Old Remote Access Trojans

Chinese-based APT ‘Webworm’ is experimenting with modifying old malware for new attacks in order to evade detection and keep costs low, including modifying older Remote Access Trojans.

Webworm is a cluster of groups active since 2017. They have been linked with attacks on companies in Russia, Georgia, and Mongolia. They mostly target IT firms and electricity providers.

Currently, Webworm are testing RATs against IT service provides in Asia, effectively testing their effectiveness against modern-day security.

The RATs being used are much older, but their source code has been available for decades in some cases. Modern security is having difficulty defeating them, given their old tech.

This method also helps Webworm hides its tracks, as the remote access trojans have been in the wild for a very long time.

The first remote access trojan used by Webworm is the Trochilus RAT, which was first developed in 2015.

There has been modifications to this RAT, including one which allows it to load its config from a file.

Another remote access trojan used by the gang is the 9002 RAT, which was a popular strain amongst state-sponsored hackers in the last ten years. 9002 is very stealthy, and can inject into memory.

Webworm is also using the Gh0st RAT, which is one of the oldest, from 2008. It has been an incredibly popular strain for many years.

Gh0st RAT features several layers of obfuscation, UAC bypassing, shellcode unpacking, and in-memory launch, many of which are retained in Webworm’s version.

Webworm also modified Gh0st RAT to become an entirely new strain, ‘Deed RAT’.

One of the new features of Deed RAT is a versatile C2 communication system supporting multiple protocols, including TCP, TLS, HTTP, HTTPS, UDP, and DNS.

WordPress Sees Rat Attack

Hackers have injected malware, including remote access trojans, into a number of extensions from FishPig. FishPig is a popular WordPress integration that has over 200,000 downloads.

FishPig primarily deploys Magento, an open-source eCommerce platforms. It supports the sale of billions of USD in goods annually.

Hackers penetrated FishPigs infrastructure and injected malicious code to the vendors software, in what is described as a supply-chain attack.

So far, it is unlikely that other paid extensions from FishPigs were compromised.

The hackers injected the code into License.php, a file that validates licenses in premium FishPig plugins, which downloads a Linux binary (“lic.bin”) from FishPig’s servers (“license.fishpig.co.uk”).

This binary is a Rekoobe, a popular remote access trojan. It has often been seen in Linux rootkits in the past.

Rekoobe assumes the name of a system service to hide within the architecture. It will then wait on commands from the C2 server.

Researchers at Sansec didn’t observe any commands taking place. This sort of move suggests that the hackers were planning to sell access later to the compromised extension.

Sansec have recommended the following actions for users of FishPig products:

• Disable all Fishpig extensions
• Run a server-side malware scanner
• Restart the server to terminate any unauthorized background processes
• Add “127.0.0.1 license.fishpig.co.uk” to “/etc/hosts” to block outgoing connections

A spokesperson for FishPig also had the following to say in a statement to reporters:

“The best advice for people at the minute is to reinstall all FishPig modules. They do not need to update to the latest version (although they can), but just reinstalling the same version will ensure that they have clean code as any infected code has been removed from FishPig.”

“The infection was limited to a single file in our obfuscation code on our separate license.fishpig.co.uk and this has been removed and protection added against future attacks. FishPig.co.uk was not affected.”

“Sorry for any inconvenience people may have faced. This was an extremely clever and targeted attack and we will be more vigilant in the future.”

Source Code Leaked

The source code of the popular remote access trojan (RAT) CodeRat has been leaked on GitHub, following a confrontation where researchers approached the malware developer questioning what tools he used.

CodeRat seems to originate from Iran, and targeted Farsi-speaking IT teams with a Word Document which abused Microsoft Dynamic Data Exchange (DDE) exploits.

The exploit will then fetch and execute CodeRat from the hackers Git repo, giving the developer a large number of functions to perform on the victims’ computer.

CodeRat is extensive, and has access to nearly 50 commands. It has extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

Researchers at SafeBreach have also pointed out that CodeRat can spy on some sensitive tools, like like Visual Studio, Python, PhpStorm, and Verilog, making it devestating to a number of industries.

The remtoe access trojan uses a telegram-based mechanism to perform commands from the C2 server.

The developer halted the project when analysts contacted him. However, because of the source code being published, CodeRat is very likely to become more prevalent. There is also the fear of copycat RATs.

CodeRat also has a GUI command builder for novice hackers, a UI to exfilitrate data to USB drives, and a HTTP debugger.

According to the developer, the RAT can persist between reboots without touching Windows Registry.

Hospitality Undergo RAT Attack Campaign

A hacking group dubbed TA558 has increased activity in recent months, and are using phishing campaigns that deploy remote access trojans (RATs). The primary targets are the hospitality and travel industries.

In total, TA558 use 15 different malware strains, which are mostly RATs. These perform surveillance, harvest data, and even siphons money from customers.

The hacking group has been active for almost 4 years, but researchers at Proofpoint highlighted the increase of their activity. It is believe to be due to the spike in tourism following the COVID lockdown.

TA558 have also switched to using macro exploited documents in its phishing emails.

The phishing emails have been sent to a number of regions, including English, Spanish, and Portuguese speaking companies.

TA558 have more of an inclination toward Portuguese companies.

The group pretend to be a conference ogranizer, a tourist office agent, or other sources that wouldn’t be easily dismissed in the target industries.

Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource.

This launches a batch file which runs a PowerShell script, which will deploy the RAT payload.

In most of the cases Proofpoint observed this year, the payload was AsyncRAT or Loda, while Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also deployed on a smaller scale.

Russia Sees Remote Access Trojan Campaign

Remote Access Trojans (RATs) have been deployed against a number of Russian entities. The RATs allow hackers to steal data remotely.

According to researchers at MalwareBytes, one such entity attacked is a government-controlled defense corporation.

“Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK,” the Malwarebytes Labs researchers said.

Dubbed Woody RAT, the malware has a large number of functions and has been used in several attacks for 12 months.

The RAT is deployed via phishing emails, which use either ZIP archives, or Microsoft Office documents that exploit the Follina vulnerability to deploy payloads.

“The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group,” the researchers added.

“When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by MalwareHunterTeam.”

Its list of features includes collecting system information, listing folders and running processes, executing commands and files received from its command-and-control (C2) server, downloading, uploading, and deleting files on infected machines, and taking screenshots.

Woody RAT can also execute .NET code and PowerShell commands and scripts received from its C2 server using two DLLs named WoodySharpExecutor and WoodyPowerSession.

Woody RAT encrypts its C2 channels by using both RSA-4096 and AES-CBC.

It is currently unknown who exactly is behind the attacks, outside the codename.

“This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia,” the researchers concluded.

“However, based on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.”

Remote Access Trojans, or RATs, are a devastating type of malware with an arsenal of illicit tools.

General Mitigation Against Remote Access Trojans

RATs are one of the hardest malware strains due to their stealthy nature. They often piggyback and hide their malicious functionality behind seemingly legitimate applications. Free software often contains remote access trojans, especially business applications.

Though difficult to mitigate, there are some steps you can take to defend against remote access trojans:

Attack Vectors: Like all malware, RATs require an attack vendor. As you have seen in this article, one of the most common attack vectors for RATs are phishing emails. It is critical that users are trained and educated to spot phishing emails, hence decreasing the chance of infection.

Strange Behaviour: Due to their nature of hiding within other applications, it is worth keeping an eye on newly installed applications – especially if they were free. If a non-internet relient application such as a word editor is generator word traffic it may be a sign of something suspicioius, for example.

Monitor Your Network: A machine with a RAT infection will be generating a high amount of traffic. Keep an eye on network traffic if you fear something is amiss.

Be Wary With Privilege: More so for business owners, but the idea of least privilege should be implemented. This states that users, applications, systems, etc. should only have the access and permissions that they need to do their job. If infection occurs, the damage will be much more limtied.

Multi-Factor Auth: Implement Multi-Factor Auth(MFA). This can shut down many RAT infections

Use A Cybersecurity Solution: Use a reliable cybersecurity solution, such as SaferNet. SaferNet was designed to shut down attack vectors common to remote access trojans, such as phishing.

SaferNet – Like A Cat Against RATs

There are several steps and tools one can use to avoid becoming a victim of a RAT. One of these tools is SaferNet.