A Remote Access Trojan (RAT) is a type of malware that lets a hacker take control of your computer. The spying activities that the hacker may carry out once that RAT is installed vary from exploring your files system, watching activities on the screen, and harvesting login credentials. The hacker might also be using your internet address as a front for illegal activities, impersonating you, and attacking other computers. Viruses downloaded through the RAT will infect other computers, while also causing damage to your system by erasing or encryption essential software.
RATs are tools that are usually used in a stealth type of hacker attack, which is called an Advanced Persistent Threat, or APT. This type of intrusion is not focused on damaging information or raiding computers quickly for data. Instead, APTs consist of regular visits to your network that can last over years. RATs can also be used to reroute traffic through your company network to mask illegal activities. Some hacker groups, predominantly in China, have even created a hacker network that runs through the corporate networks of the world and they rent out access to this cybercrime highway to other hackers. This is called the “terracotta VPN” and it is facilitated by RATs.
RATs have quietly been around for more than a decade. The technology was discovered to have played a part in extensive looting of US technology by Chinese hackers back in 2003. The Pentagon launched an investigation, called Titan Rain, which discovered data theft from US defense contractors, with development and classified testing data being transferred to locations in China.
You may recall the US East Coast power grid shutdowns of 2003 and 2008. These were also traced back to China and were also facilitated by RATs. In short, a hacker who can get a RAT onto a system can activate all of the software that the users of those computers have at their disposal.
A hacker with a RAT can command power stations, telephone networks, nuclear facilities, or gas pipelines. RATs not only represent a corporate security risk, but they can also enable belligerent nations to cripple an enemy country.
The original users of RATs for industrial espionage and sabotage were Chinese hackers. Over the years, Russia has come to appreciate the power of RATs and has integrated them into its military arsenal. APTs are now officially part of the Russian offense strategy that is known as “hybrid warfare.”
When Russia seized territory from Georgia in 2008 it employed DDoS attacks to block internet services and APTs using RATs to gather intelligence, control, and disrupt Georgian military hardware and essential utilities. Russia’s use of RATs to destabilize the Ukraine and the Baltic States continues to this day.
Russia employs semi-official hacker groups, such APT28. Another hacker group, known as APT15 is regularly used by the Chinese government. The names of these groups explain their main strategy, the “advanced persistent threat,” which is facilitated by RATs.
The rise in trade tariff tensions in 2018 has seen a new spurt in Chinese hacker activity, particularly the semi-military APT15 group. The troubles between the USA and North Korea that have been rumbling on since 2015 have also caused a rise in RAT-assisted APT activity originating in North Korea.
So, while hackers around the world use RATs to spy on companies and steal their data and money, the RAT problem has now become an issue of national security for many countries, particularly the USA.
There are a number of remote access systems that could have legitimate applications, but are well-known as tools that are mainly used by hackers as part of a Trojan; these are categorized as Remote Access Trojans. The details of the best known RATs are explained below.
Back Orifice, which is also referred to as BO is an American-made RAT that has been around since 1998. This is the granddaddy of RATs and has been refined and adapted by other hacker groups to produce newer RAT systems. The original system exploited a weakness in Windows 98. Later versions that ran on newer Windows operating systems were Back Orifice 2000 and Deep Back Orifice.
This RAT is able to hide itself within the operating system, which initially makes it difficult to detect. However, nowadays, most antivirus systems have the Back Orifice executable files and occlusion behavior logged in their databases as signatures to look out for. A nice feature of this software is that it has an easy-to-use console which the intruder can use to navigate around the infected system. The remote element can be slipped onto a target computer through a Trojan. Once installed, this server program communicates with the client console using standard networking procedures. Back Orifice is known to use port number 21337.
The Beast RAT attacks Windows systems from Windows 95 up to Windows 10. This uses the same client-server architecture that Back Orifice pioneered with the server part of the system being the malware that gets installed surreptitiously on the target computer. Once the server element is operational, the hacker can access the victim computer at will through the client program. The client connects to the target computer at port number 6666. The server is also able to open connections back to the client and that uses port number 9999. Beast was written in 2002 and is still widely in use.
This Trojan begins its infection with the installation of a server builder program. Initially, this program just makes contact with a Command and Control server and waits for instructions. The Trojan infects Windows systems from Windows 95 to Windows 10. However, its capabilities are reduced on Windows versions XP and later.
Once it is triggered, the server builder will set up a server program on the target computer. This enables the hacker, using a corresponding client program to get access to the infected computer and execute commands at will. The server software is stored in C:\Windows\Bifrost\server.exe or C:\Program Files \Bifrost\server.exe. This directory and file are hidden and so some anti-virus systems fail to detect Bifrost.
The server builder does not end its operations once the server has been created. Instead, it operates as a persistence system and will recreate the server in a different location and with a different name if the original server installation is spotted and removed. The server builder also employs rootkit methods to mask server processes and make the operating intrusion system very difficult to detect.
Since Windows Vista, the full destructive capabilities of Bifrost have been slowed down because many of the services that the malware uses require system privileges. However, if a user is tricked into installing the disguised server builder with system privileges, the Bifrost system can become fully-operational and will be very difficult to remove.
Blackshades is an off-the-peg hacking tool that was sold to hackers by its developers for $40 a pop. The FBI estimated that its producers earned a total of $340,000 selling this software. The developers were shut down and arrested in 2012 and a second wave of arrests in 2014 captured more than 100 users of Blackshades. However, there are still copies of the Blackshades system in circulation and it is still in active use. Blackshades targets Microsoft Windows from Windows 95 to Windows 10.
The toolkit includes methods of infection, such as malicious code to embed in websites that trigger installation routines. Other elements propagate the RAT by sending out links to infected web pages. These are sent to the social media contacts of an infected user.
The malware enables a hacker to get access to the target computer’s files system and download and execute files. Uses of the program include botnet functions that get the target computer to launch denial of service attacks. The infected computer can also be used as a proxy server to route hacker traffic and provide identity cover for other hacker activities.
The Blackshades toolkit is very easy to use and enables those who lack technical skills to become hackers. The system can also be used to create ransomware attacks. A second obfuscation program sold alongside Blackshades keeps the program hidden, enables it to relaunch when killed, and evades detection by anti-virus software.
Among attacks and events that have been traced to Blackshades are a 2012 campaign of disruption that targeted Syrian opposition forces.
French hacker Jean-Pierre Lesueur developed DarkComet in 2008, but the system didn’t really proliferate until 2012. This is another hacker system that targets the Windows operating system from Windows 95 up to Windows 10. It has a very easy-to-use interface and enables those without technical skills to perform hacker attacks.
The software enables spying through keylogging, screen capture and password harvesting. The controlling hacker can also operate the power functions of a remote computer, allowing a computer to be turned on or off remotely. The network functions of an infected computer can also be harnessed to use the computer as a proxy server to channel traffic and mask the hacker’s identity during raids on other computers.
DarkComet came to the cybersecurity community’s attention in 2012 when it was discovered that an African hacker unit was using the system to target the US government and military. At the same time, DarkComet attacks originating in Africa were launched against online gamers.
Lesueur abandoned the project in 2014 when it was discovered that DarkComet was in use by the Syrian government to spy on its citizens. The general populace had taken to employing VPNs and secure chat apps to block government surveillance, so the spyware features of DarkComet enabled the Syrian government to circumvent those security measures.
Mirage is the key RAT used by the state-sponsored Chinese hacker group known as APT15. After a very active spying campaign from 2009 to 2015, APT15 suddenly went quiet. Mirage itself was in use by the group from 2012. The detection of a Mirage variant in 2018 signaled that the group was back in action. This new RAT, known as MirageFox was used to spy on UK government contractors and was discovered in March 2018. Mirage and MirageFox each act as an agent on the infected computer. The Trojan part of the intrusion suite polls a Command and Control address for instructions. Those instructions are then implemented on the victim computer.
The original Mirage RAT was used for attacks on an oil company in the Philippines, the Taiwanese military, a Canadian energy company, and other targets in Brazil, Israel, Nigeria, and Egypt. Mirage and MirageFox get onto target systems through spear phishing campaigns. These are usually targeted at the executives of a victim company. The Trojan is delivered embedded in a PDF. Opening the PDF causes scripts to execute and they install the RAT. The RAT’s first action is to report back to the Command and Control system with an audit of the infected system’s capabilities. This information includes the CPU speed, memory capacity and utilization, system name and username.
The initial system report makes it seem as though the designers of Mirage made the RAT in order to steal system resources rather than access data on the target system. There is no typical Mirage attack because it seems that each intrusion is tailored towards specific targets. The RAT installation can be presaged by a fact-finding campaign and system checks. For example, the 2018 attack on British military contractor NCC gained access to the system via the company’s authorized VPN service.
The fact that each attack is highly-targeted means that a lot of expense is entailed by a Mirage infection. This high cost shows that Mirage attacks usually only aim at high-value targets that the Chinese government wishes to undermine or from which to steal technology.
Defense against remote access Trojans
Antivirus systems don’t do very well against RATs. Often the infection of a computer or network goes undetected for years. The obfuscation methods used by parallel programs to cloak the RAT procedures make them very difficult to spot. Persistence modules that use rootkit techniques mean that RATs are very difficult to get rid of. Sometimes, the only solution to rid your computer of a RAT is to wipe out all of your software and reinstall the operating system.
RAT prevention systems are rare because the RAT software can only be identified once it is operating on your system. The best way to manage the RAT problem is to use an intrusion detection system. Comparitech has a guide on intrusion detection systems, which gives you a full explanation of how these systems work and a rundown of recommended tools. However, if you don’t have time to read the full report, a summary of each of the recommended tools in that guide is included here below.
OSSEC stands for Open Source HIDS Security. A HIDS is a Host Intrusion Detection System, which examines events on the computers in a network rather than trying to spot anomalies in the network traffic, which is what network intrusion detection systems do. OSSEC is the current HIDS leader and it can be installed on Unix, Linux and Mac OS operating systems. Although it can’t run on Windows computers it can accept data from them. OSSEC examines event logs to look for RAT activities. This software is an open source project that is owned by cybersecurity firm, Trend Micro.
This is a data gathering tool, which doesn’t have a very user-friendly from end. Generally, the front end for this system is supplied by other tools, such as Splunk, Kibana, or Graylog. The detection engine of OSSEC is based on policies, which are alert conditions that might arise in the data. You can acquire pre-written packages of policies from other OSSEC users who make their packages available for free on the OSSEC user community forum. You can also write your own policies.
Snort is free to use and it is the industry leader in NIDS, which is a Network Intrusion Detection System. This system was created by Cisco Systems and it can be installed on Windows, Linux, and Unix. Snort can implement defense strategies, which makes it an intrusion prevention system. It has three modes options:
- Sniffer mode – a live packet sniffer
- Packet logger – records packets to a file
- Intrusion detection – includes an analysis module
The IDS mode of Snort applies “base policies” to the data. These are alert rules that provide the intrusion detection. Policies can be acquired for free from the Snort website, sourced from the user community, or you can write your own. Suspicious events that Snort can highlight include stealth port scanning, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. Snort is capable of both signature-based detection methods and anomaly-based systems.
The front-end of Snort isn’t very good and most users interface data from Snort to better consoles and analysis tools, such as Snorby, BASE, Squil, and Anaval.
Bro is a free NIDS that can be installed on Unix, Linux, and Mac OS. This is a network monitoring system that includes intrusion detection methods. The IDS collects packet data to a file for later analysis. NIDS that operate on live data miss certain intrusion identifiers because hackers sometimes split RAT messaging over multiple packets. Therefore, application layers NIDS, such as Bro have better detection capabilities because they apply analysis across packets. Bro uses both signature-based analysis and anomaly-based detection.
The Bro Event Engine “listens” for triggering events, such as a new TCP connection or an HTTP request and logs them. Policy scripts then search through those logs to look for patterns in behavior, such as anomalous and illogical activity performed by one user account. Bro will track HTTP, DNS, and FTP activity. It also gathers SNMP notifications and can be used to detect device configuration changes and SNMP Trap messages.
Suricata is a NIDS that can be installed on Windows, Linux, Mac OS, and Unix. This is a fee-based system that applies application layer analysis, so it will detect signatures that are spread across packets. Suricata monitors IP, TLS, TCP, and UDP protocol activity and focuses on key network applications, such as FTP, HTTP, ICMP, and SMB. It can also examine TLS certificates and focus on HTTP requests and DNS calls. There is also a file extraction facility that enables the analysis of virus-infected files.
Suricata has a built-in scripting module that enables you to combine rules and get a more precise detection profile. This IDS uses both signature-based and anomaly-based detection methods. VRT rules files written for Snort can also be imported into Surcata because this IDS is compatible with the Snort platform. This also means that Snorby, BASE, Squil, and Anaval can serve as front ends to Suricata. However, the Suricata GUI is very sophisticated and includes graphical representations of data, so you might not need to use any other tool to view and analyze data.
Sagan is a free host-based intrusion detection system that can be installed on Unix, Linux, and Mac OS. You can’t run Sagan on Windows but you can feed Windows event logs into it. Data gathered by Snort, Suricata, or Bro can be imported into Sagan, which gives the data analytical tool of this utility a NIDS perspective as well as its native HIDS capabilities. Sagan is also compatible with other Snort-type systems, such as Snorby, BASE, Squil, and Anaval, which could all provide a front end for data analysis.
Sagan is a log analysis tool and it needs to be used in conjunction with other data gathering systems in order to create a full intrusion detection system. The utility includes an IP locator, so you can trace the sources of suspicious activities to a location. It can also group together the activities of suspicious IP addresses to identify team or distributed attacks. The analysis module works with both signature and anomaly detection methodologies.
Sagan can automatically execute scripts to lock down the network when it detects specific events. It performs these prevention tasks through interaction with firewall tables. So, this is an intrusion prevention system.
Security Onion was developed by splicing together the code for Snort, Suricata, OSSEC, Bro, Snorby, Sguil, Squert, Kibana, ELSA, Xplico, and NetworkMiner, which are all open source projects. This tool is a free Linux-based NIDS that include HIDS functionality. It was written to run specifically on Ubuntu.
Host-based analysis checks for file changes and network analysis is conducted by a packet sniffer, which can display passing data on a screen and also write to a file. The analysis engine of Security Onion is complicated because it combines the procedures of so many different tools. It includes device status monitoring as well as traffic analysis. There are both signature-based and anomaly-based alert rules included in this system. The interface of Kibana provides the dashboard for Security Onion and it includes graphs and charts to ease data analysis.
AIDE stands for “Advanced Intrusion Detection Environment.” This is a free HIDS that runs on Mac OS, Unix, and Linux. This IDS focuses on rootkit detection and file signature comparisons. The data gathering module populates a database of characteristics that are gleaned from log files. This database is a system status snapshot and any changes in device configuration trigger alerts. Those changes can be canceled by reference to the database or the database can be updated to reflect authorized configuration alterations.
System checks are performed on demand and not continuously, but it can be scheduled as a chron job. The rules base of AIDE uses both signature-based and anomaly-based monitoring methods.
OpenWIPS-NG comes from the developers of Aircrack-NG. In fact, it integrates Aircrack-NG as its wireless packet sniffer. Aircrack-NG is a well-known hacker tool, so this association may make you a little wary. WIPS stands for “Wireless Intrusion Prevention System” and it runs on Linux. This is a free utility that includes three elements:
- Sensor – the packet sniffer
- Server – data storage and analysis rulebase
- Interface – user-facing front end.
The sensor is also a transmitter, so it can implement intrusion prevention actions and cripple unwanted transmissions. The server performs analysis and also launches intervention policies to block detected intrusions. The interface module displays events and alerts to the systems administrator. This is also where settings can be tweaked and defensive actions can be adjusted or overridden.
Samhain, produced by Samhain Design Labs in Germany, is a free host-based intrusion detection system that installs on Unix, Linux, and Mac OS. It uses agents running at different points on the network, which report back to a central analysis module. Each agent performs file integrity checking, log file monitoring, and port monitoring. The processes look for rootkit viruses, rogue SUIDs (user access rights), and hidden processes.
Network communication between agents and the console is protected by encryption. Connections for the delivery of log file data include authentication requirements, which prevent intruders from hijacking or replacing the monitoring process.
Samhain will highlight warning signs of intrusion but it doesn’t have any resolution processes. You will need to keep backups of your configuration files and user identities in order to take action to resolve the problems that the Samhain monitor reveals. Samhain keeps its processes hidden by stealth technology, called “steganography” in order to prevent intruders from manipulating or killing the IDS. Central log files and configuration backups are signed with a PGP key to prevent tampering by intruders.
Fail2Ban is a free host-based intrusion prevention system that runs on Unix, Linux, and Mac OS X. The IDS analyses log files and imposes bans on IP addresses that display suspicious behavior. Automatic lockouts occur in Netfilter/IPtables or PF firewall rules and the hosts.deny table of TCP Wrapper. These blocks usually only last a few minutes, but that can be enough to disrupt a standard automated brute-force password-cracking scenario. Alert situations include excessive failed login attempts. A problem with Fail2Ban is that it focuses on repeated actions from one address. This doesn’t give it the ability to cope with distributed password cracking campaigns or DDoS attacks.
The monitoring scope of the system is defined by a series of “filters.” These instruct the IPS on which services to monitor. These include Postfix, Apache, Courier Mail Server, Lighttpd, sshd, vsftpd, and qmail. Each filter is combined with an action to perform in the event of an alert condition being detected. The combination of a filter and an action is called a “jail.”
Remote Access Trojan threats
Although much RAT activity appears to be government-directed, the existence of RAT toolkits makes network intrusion a task that anyone can perform. So, RAT and APT activity is not going to be limited to attacks on the military or high tech companies.
RATs combine with other malware to keep themselves hidden, which means that installing antivirus software on your computers isn’t enough to prevent hackers controlling your system with these methods. Investigate intrusion detection systems in order to defeat this hacker strategy.
Have you experienced a network intrusion that resulted in damage or loss of data? Have you implemented an intrusion prevention strategy to head off the RAT problem? Leave a message in the Comments section below to share your experiences.