A layman’s dictionary: RAT

RAT stands for Remote Administration Tool. While it may sound rather innocuous, the term “RAT” is usually associated with the software used for criminal or malicious purposes.

RAT is a term that is frequently used in cybersecurity publications, although it’s not encountered as often as Trojan. Still, in late August, Threatpost mentioned various RATs at least three times.

RAT stands for Remote Administration Tool. While it may sound rather innocuous, the term “RAT” is usually associated with the software used for criminal or malicious purposes. So the abbreviation totally makes sense, however, there are possible variations: Remote Access Tool, Remote Access Trojan, etc.

Malicious RAT software is typically installed without the victim’s knowledge, often as payload of a Trojan horse, and will try to conceal its operation from the victim and from security software as well.


Smelling the rat

RATs today are often a part of Trojan and backdoors: their capabilities allow an attacker to control the victim’s computer in many ways, including downloading any software (malware included, of course), uploading, deleting and renaming files, formatting drives, stealing passwords and credit card numbers, etc. In fact, a well-designed RAT allows an attacker to do anything they could do with the machine they have physical access to, which makes it a perfect espionage tool. RATs, among other things, allow for recording audio and video (if the appropriate hardware is present), recording and controlling the victim’s screen remotely, silently installing applications, viewing, killing, and starting tasks in task manager, and surfing the web with the IP-address of the infected computer.

Add here the possibility to overclock hardware down to its destruction.

Burrowing into the system

While real-world rodents can make the holes themselves, their cyber-“counterparts” require security holes to already be present. Those are not limited to software flaws.

One recently exposed campaign used some very convincing phishing mail coupled with macros-laden Word docs to deliver AutoIt RAT and plant malware.

While Microsoft disabled macros by default 8 years ago, hackers recently started exploiting them again, using phishing e-mails that urged victims to enable macros. This campaign is just an example of such an attack. Once the macros are enabled, the attack is executed, and the macros downloads some binaries and archives, bringing AutoIt RAT.

AutoIt is a totally legitimate, freeware tool that allows Windows administrators to write scripts that automate tasks. A huge, 600 Mb AutoIt script is downloaded along with it, and includes antianalysis checks, payload decryption, malware installation and persistence mechanisms. The script also installed other RATs (Cybergate or NanoCore), or the Parite worm. A detailed description can be found here.

Among other recent finds are the remote access Trojans named uWarrior and Jsocket. The latter turned out to be a refurbished AlienSpy remote access Trojan.

The former in turn looks like a Mr. Stitch among the RATs, borrowing various ready-off-the-shelf components from other malware (such as ctOS RAT). Researchers said, however, that the malware is “fully featured” and when it comes to exploitation, “the combination of methods and affected code is both new and complex.”

According to Threatpost, “The malware includes two old remote exploit code execution bugs, CVE-2012-1856 and CVE-2015-1770. The former, which affected the Microsoft Windows Common Controls MSCOMCTL.OCX back in 2012, is apparently back and using a novel return-oriented programming (ROP) chain to bypass ASLR…

The uWarrior arrives embedded in rigged .RTF documents – which means phishing is the primary infection vector.

Deratization

As said above RATs are often part of Trojans and backdoors, and they get into the system the “usual” ways – via phishing emails, macros-packed Word docs, exploiting software flaws, etc. All of these are preventable.

Kaspersky Lab business products are capable of detecting and blocking these threats using a large array of protective technologies, which include both malware detection, behavioural analysis, system and vulnerability assessment, and patch management tools. For more information on these functions please visit Kaspersky Lab’s corporate site.

Tips