Our systems’ existing capabilities to enable remote access have proven to be a game-changer during the ongoing pandemic. Remote access allows individuals and teams to access a physically located resource from virtually anywhere. For internal and external support teams, this functionality ensures that the support staff does not need to travel from one location to another to solve minor issues. Without a doubt, it can maximize the potential of teams. However, similar to any other IT component, it requires adequate security measures. Remote access essentially provides the ability to control systems remotely. If it goes into wrong hands, the results can be disastrous – without an ounce of doubt! This article explores remote access trojans (RAT), their history, and defensive measures that you can adopt.
What Is RAT?
RAT is an acronym for Remote Access Trojan. It is a prime example of how attackers can use remote access technology maliciously. Given that it is a trojan, it is a malware program that seeks to facilitate a backdoor for the target computer system’s administrative access. For this malware, there are two typical modes of delivery:
- As an email attachment
- Invisible downloads along with user-requested downloads from malicious sites
In both of these modes, attackers hide their RAT under the disguise of legitimacy. Our experts have observed similarities in the behaviors of RATs and keyloggers. However, the objective of a keylogger is limited to recording user keystrokes. On the other hand, a RAT allows an attacker to gain unauthorized access to a target system.
As soon as a remote access trojan executes, it provides administrative control of the target computer to the attacker. As a result, the attacker can:
- Utilize keylogger for monitoring user activities
- Remotely activate the target computer’s webcam and record video or capture pictures
- Take screenshots of the computer screen
- Format the local storage drives
- Modify, alter, or delete user data and system files
- Access confidential information of the user such as passwords, payment details, social security number, etc
- Distribute malicious programs to other connected computer systems
How Did They Come Into Existence?
The exact origin of RATs is not known. However, they have been around for a couple of decades. Famous RATs include Back Orifice, Poison-Ivy, and SubSeven. They come in existence around the mid-1990s and attackers have continued to use them till date. Based on these malicious programs, security researchers and service providers have detected various improved versions over the years. As attackers aim to evade detection by an organization’s defensive security measures, security companies are getting better at understanding attackers’ tactics, techniques, and procedures (TTPs).
Why Are RATs Useful For Attackers?
After a RAT gets installed, it does not announce its arrival. Attackers using RATs maintain a low profile and this malware does not appear in the list of active programs or processes. It is a real possibility that a remote access trojan remains dormant for some time before it comes into action. With a better understanding of how the CPU handles resource use, attackers ensure a minimal drop in performance.
RATs also play a prominent role in the execution of advanced persistent threat (APT) attacks. The primary objective behind APT attacks is to remain stealthy and gather data over time, instead of damaging systems and resources as soon as the backdoor entry is achieved. With no system performance changes and administrative control, attackers can virtually access the infected system, just like they would do it in person.
Successful attacks involving RATs can have repercussions on a larger scale. For instance, if an attacker can install their RAT on critical infrastructure systems such as telephone networks or power stations, they can disrupt operations on a nation-wide scale. In 2008, Russia coordinated their physical warfare initiatives in line with offensive cyber warfare tactics for seizing territory from its neighbor Georgia. The Russian government used massive DDoS attacks in combination with APTs that heavily relied on RATs. They were able to gather information about Georgia’s military operations and eventually, disrupted them.
Protecting Your Systems From RATs: What Should You Do?
One of the most obvious suggestion here is to avoid downloading attachments from unknown senders. Downloading free games, software, movies, and other files from untrustworthy or strange sites must be avoided. At the same time, you should never delay installing updates for your operating system, browser(s), and applications on your system.
For an attacker to create a new RAT from scratch that would successfully avoid detection will take a reasonable amount of time. As per our experts’ understanding of how attackers operate, they will only invest this time against larger targets such as banks, critical infrastructure, multi-national companies, and governments. However, it does not mean that the mere installation of anti-virus or anti-malware tools is sufficient. If you are a decision-maker, you should ensure that acceptable security practices related to RATs are a part of your organization’s security training program for your employees.
Endnotes
For an individual user to keep track of activities on their personal system is a reasonably easy responsibility. However, in the case of organizational setup where security teams are responsible for tens or hundreds of computers, it becomes intensive and tricky. With an increasing number of systems and users, various variables come into play that may impact the efficiency of your organization’s security program. As RATs continue to make a visible impact on business operations, organizations cannot remain in wait and watch mode anymore. They should explore implementing advanced solutions like a Security Information and Event Management (SIEM) system as a part of overall security operations.
References
Before the Gunfire, Cyberattacks (The New York Times)
