Skip to main content
Protect Yourself

How To Avoid a RAT Infestation

By January 4, 2019No Comments

This is not a discussion on how to prevent or get rid of those large rodents that cause grown adults to scream like little children when they come scurrying across the floor or drop from a ceiling. We are referring to the remote access trojans (RATs) that are infesting computers and networks across the globe. These RATs are a type of malware that let a hacker gain administrative control of your computer. This threat is continuing to rise in popularity with one form, flawedAmmyy, entering the top 10 most prolific malware threats according to Check Point’s Global Threat Index for October 2018. How can we avoid or prevent a RAT infestation?

How To Avoid a RAT Infestation

What is a RAT?

A remote access trojan (RAT) is a malware program that opens a back door for complete control over the victim’s computer. RATs are usually downloaded invisibly with a user-requested program or embedded in an email attachment. Once installed, it can monitor user behavior through spyware, like keyloggers, access confidential information, activate the system’s webcam, distribute viruses and other malware, alter files and file systems, and more. Some become self–aware and are capable of evading several commonly used malware detection techniques. They have the ability to mask their presence and work silently. One RAT called GravityRAT can gauge the temperature of the CPU and determine if the system is carrying out intense activity and act accordingly to evade detection.

As mentioned earlier, RATs usually are delivered in an email and come in the form of an attachment in just about any format, such as MS Office products like Word, Excel, Publisher, and PowerPoint. They also can come as an Adobe Acrobat file or audio and video files. While most RATs are used in spear phishing campaigns (a direct targeted attack against an individual), ones like FlawedAmmyy have been used in massive phishing assaults. One large attack was reported against Godiva Chocolates, Yogurtland, and Pinkberry. The attachments that are sent can be disguised as invoices or shipping documents. One spear-phishing campaign in Turkey purported to be an official communication from the Turkish Revenue Administration, and there was a possible tax exemption for the receiver if the attached documents were filled out. In order to view the content in the documents, the victim had to enable macros. The attached document had code embedded in it to download and install a RAT known as Remcos (based on the remote administration tool by the same name).

In addition to the ones discussed, some other RATs to look out for are JBIFrost, DarkComet, Adwind, Coldroot, and njRAT. All of these have the same intent, to give the attacker remote administration privileges to a victim’s machine. Now that we see what a RAT is, and what it can do, how can we detect, remediate, and prevent an infestation?

How to detect, remediate, and prevent

While this form of attack isn’t anything new, as forms of it date back to 2002, it continues to evolve to stay ahead of the advancement of Intrusion Detection Systems (IDS) and Advanced Persistent Threat (APT) detection tools. Detection isn’t always easy but not impossible. If it is your personal system and you are noticing a performance issue and strange things are happening after you’ve opened an attachment call a professional.

If you are tech savvy and you don’t want to hire a professional, then feel free to investigate to see if there are any strange processes running. Additionally, look for odd traffic coming from the computer or the network using tools such as Wireshark or using Netstat in a command prompt. If you are on a company owned device and you suspect something maybe on your system, then report it to your network administrator or your cyber security department. If a RAT is on the system, then remediation can be tricky depending on the device. The recommended method is to make sure that you have all your data backed up, wipe the system, and then reinstall the operating system.

When it comes to prevention, it is best afforded by a layered approach. Which should consist of:

  • Systems having an antivirus and a malware protection program on it and making sure they are always up to date;
  • Systems and installed applications being fully patched and updated;
  • Administrators applying strict application whitelisting, blocking unused ports, turning off unused services, and monitoring outgoing traffic to prevent infections from occurring;

    • Refraining from downloading programs or opening attachments that aren’t from a trusted source.

  • Avoid enabling macros without verifying that the attachment was indeed sent from a trusted source.

Since the initial infection mechanism for RATs is usually through phishing email, you can help prevent infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email doesn’t compromise your devices. One way to help in educating users and raising awareness is through a solid phishing program tailored to your user base, such as Social Engineer’s Phishing as a Service® (PHaaS®) program. If you are interested in preventing a RAT infestation, then contact us for more information at our webpage https://www.social-engineer.com/contact.

Resources:
https://www.scmagazine.com/home/security-news/pied-piper-phishing-scheme-infests-victims-with-flawedammyy-rms-rats/
https://www.zdnet.com/article/ukrainian-police-arrest-hacker-who-infected-over-2000-users-with-darkcomet-rat/
https://www.zdnet.com/article/this-remote-access-trojan-just-popped-up-on-malwares-most-wanted-list/
https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/
https://www.comparitech.com/net-admin/remote-access-trojan-rat/
https://blog.checkpoint.com/2018/11/13/october-2018s-most-wanted-malware-for-the-first-time-remote-access-trojan-reaches-top-threats-cryptomining/
https://www.computerweekly.com/news/252450434/RATs-and-Mimikatz-among-top-publicly-available-hacking-tools
https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/
https://betanews.com/2018/08/31/botnet-remote-access-trojans/
https://www.bleepingcomputer.com/news/security/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/
https://www.thehindu.com/sci-tech/technology/a-rat-that-spies-on-computers/article23787614.ece
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
https://combofix.org/5-ways-to-catch-a-rat.php

Tags:

Leave a Reply

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now