REMOTE ACCESS TROJAN (RAT)

What is a RAT?

RAT stands for Remote Access Trojan. RATs get onto computers from spam, malware, or as part of some other software or application. A Remote Access Trojan (RAT) is a malicious program that contains a backdoor for administrative control of a target computer.

RATs are typically downloaded secretly through user-requested programs, such as games, or sent as email attachments. Once a host system is compromised, attackers can use it to spread the RAT to other vulnerable computers and create a botnet.

How does RAT work?

RAT monitors user behavior using keyloggers or other spyware. It accesses sensitive information such as credit cards and social security numbers. Also, the RAT malware activates the system webcam and records video.

Plus, it distributes viruses and other malware. It automatically deletes, uploads, or modifies files and file systems. RAT can be difficult to detect because they usually do not appear in running programs or task lists. The actions they perform may resemble those of legitimate programs.

Prevention of RAT

  • To protect your system from RAT attacks, follow the same procedures you use to prevent other malware infections: keep your antivirus software up to date and avoid downloading programs or opening attachments from untrusted sources. From an administrative standpoint, it’s always a good idea to block unused ports, disable unused services, and monitor outgoing traffic.
  • You should always install a good antivirus program on your computer that can detect and fix RAT. Detecting RAT is quite a daunting task as they are installed with random names and may look like any other common application, so you need a good antivirus program to deal with this. Monitoring your network is also a good way to detect any Trojans that send your personal data over the Internet.
  • If you are not using a remote administration tool, disable the Remote Assistance connection to your computer. You will get the setting in System Properties > Remote tab > uncheck “Allow Remote Assistance to connect to this computer”.
  • Always keep your operating system, installed software, and especially security programs up to date. Also, try not to click on emails that you don’t trust that come from an unknown source. Do not download any software from sources other than the official website or mirror.

Recent news about the AsyncRAT

A malware campaign believed to have started recently that has been spotted using a new delivery method to deliver the AsyncRAT Trojan. AsyncRAT is a well-known open-source remote access Trojan that is used by various attackers to control infected systems. The malware campaign is initially delivered via a simple phishing email that contains an HTML attachment.

When the user opens the HTML attachment, they are redirected to a web page where they are prompted to save the ISO file. However, unlike other attacks where next-stage malware is hosted on a phishing domain, the HTML file uses JavaScript to locally create an ISO file from a Base64-encoded string located in the HTML itself. This eliminates the need for malware to establish any network connections to download the next payload, allowing it to bypass network layers of control.

Once the ISO file is downloaded and executed, it will be mounted as a DVD drive on the Windows host and will contain a BAT or VBS file. After running this file, the next step is retrieved using the PowerShell command. From there, the AsyncRAT payload is retrieved and executed in memory, along with support files that set up Windows Defender exceptions and check for any antivirus (AV) solutions on the machine.

Since the initial infection vector comes from an HTML attachment in a phishing email, employing appropriate email security controls such as antivirus scanning and attachment sandboxing can help prevent malicious emails from reaching end-user mailboxes. Proper end-user training can also help users identify and remove phishing emails that end up in their inboxes.

Conclusion

While the malware ISO file phase does not establish network connections, other phases, such as the PowerShell phase, make calls to the domain. For this reason, having proper network security controls in place can help prevent this malware from infecting a system by stopping infection further down the chain. Similarly, proper logging and monitoring of endpoints can help detect the infection chain used by this campaign due to the use of processes that are often misused.