RAT: What it is and how does it work?

Hector Monjardin
March 26, 2024
3
min
RAT: What it is and how does it work?

With the technological advancements available today, it's common for many devices to face various threats. One of the most prevalent threats comes from a type of malware known as a "Trojan." The key feature of this malware is its ability to hide within another application or masquerade as one, evading detection by antivirus programs. When executed, it can release the virus payload without raising suspicions from the victim. There are numerous types of Trojans, categorized based on their objectives. One widely used type is the "Remote Access Trojan" (RAT), allowing attackers to gain remote access to the victim's machine.

Due to the nature of this malware, it utilizes the RDP protocol, enabling the attacker to have complete access to the machine, including keyboard and cursor manipulation. However, this doesn't imply access to all of the victim's information, as it only gains access to the machine and not the encrypted information on the device. That's why RATs are often installed alongside other malware, such as "keyloggers." A keylogger is a background-running malware that keeps a record of everything the user types and interacts with on the machine. This way, the attacker can potentially obtain a log of the victim's user accounts and passwords.

The infection process of this malware relies on social engineering to persuade the victim to install a specific application containing the RAT. Another alternative involves using phishing methods and disguising the malware so that it can be executed. Yet another option is downloading an application from a suspicious site, increasing the likelihood of the virus being installed on the machine. An important point to note is that RATs can be concealed within the macros of Word, Excel, and PowerPoint files, which are among the primary camouflage methods employed by this Trojan.

On December 23, 2015, half of the territory of Ivano-Frankivsk experienced a cyberattack where the electricity was cut off for several hours. According to telemetric data from ESET, it was realized that this was not an isolated incident but a coordinated attack, as other power plants in Ukraine suffered a similar incident almost simultaneously. Through the investigation, it was found that the malware used is called "BlackEnergy," which is a RAT with a backdoor function used to install KillDisk, preventing devices from starting up.

The RAT "BlackEnergy" was introduced at the Virus Bulletin 2014 conference, where it was portrayed as a cyber espionage tool. It was also revealed that this malware could be inserted alongside the vulnerability "CVE-2014-4114," which affected PowerPoint. As a result, numerous attacks were carried out in 2014 with the aim of infecting devices using the malware and the PowerPoint vulnerability. According to Ukraine's Computer Emergency Response Team (CERT-UA), a connection between the malware and "KillDisk" was identified in 2015. However, many companies fell victim to these attacks before power plants became the primary target. Below is an image of the utilized infected file:

magen1: This is the Excel file infected with “BlackEnergy”[1]

Another well-known RAT is called "NanoCore", primarily used for espionage and information theft. This malware has been active since 2013, and according to the United States Cybersecurity and Infrastructure Security Agency (CISA), in 2021, it was the most widely used malware across cyberspace. It was typically distributed through phishing attacks, where victims received emails with attachments, requesting their assistance in reviewing them. These seemingly harmless attachments, however, sent information to the attacker, who compiled a database later auctioned on clandestine and illegal forums. NanoCore continues to be one of the most prevalent malware types today. Below are some examples of the identified emails associated with this malware:

Imagen2: Example of email with "NanoCore

Imagen3: Example of email with "NanoCore"[2]

As observed through these cases, no one is exempt from becoming a victim of cyberattacks. However, there are prevention methods, including practicing good cybersecurity habits, avoiding opening suspicious emails or messages, and keeping all applications and services updated, among many others. Nevertheless, this is not a guarantee that we cannot fall victim to an attack, so it's essential to be aware of the dangers on the internet and act responsibly in such situations.

Reference:

[1] El troyano BlackEnergy ataca a una planta de energía eléctrica en Ucrania. (2016, January 5). https://www.welivesecurity.com/la-es/2016/01/05/troyano-blackenergy-ataca-planta-energia-electrica-ucrania/

[2] NanoCore: un malware del tipo RAT muy utilizado para espiar a las víctimas. (2022, November 17). https://www.welivesecurity.com/la-es/2022/11/17/nanocore-malware-principales-caracteristicas/

[3] Qué es un troyano de acceso remoto (RAT)? Cómo detectarlos y mucho más | Proofpoint ES. (2023, December 29). Proofpoint. https://www.proofpoint.com/es/threat-reference/remote-access-trojan

Share this post