Remote Access Trojan (RAT)
Remote Access Trojan Definition
Remote access and control of computers is not entirely criminal. For years, tools for accessing computers and servers remotely—such as Microsoft’s Remote Desktop Protocol (RDP) and TeamViewer—have been used by employees traveling or working from home and IT staff providing technical support to users.
With the rise of remote work during the COVID-19 pandemic and the scalability demanded by globalization and digital transformation, remote access tools usage has seen a significant rise. However, the use of remote access and control for nefarious purposes is also on the rise.
Remote Access Trojans (RATs) are a considerable threat to organizations across the globe. RAT hackers have developed several Trojan varieties, and security teams and antivirus software developers are working hard to keep up.
But what is a RAT and how does it work? More importantly, how can you detect a RAT infection or protect organizational resources from getting infected in the first place?
Remote Access Trojan (RAT) Types
As the name suggests, a Remote Access Trojan is a form of malware that provides the perpetrator remote access and control of the infected computer or server. Once access is gained, the hacker can use the infected machine for a number of illegal activities, such as harvesting credentials from the keyboard or clipboard, installing or removing software, stealing files, and hijacking the webcam—all without the owner's consent or knowledge.
Not all remote access is illegal. So to differentiate, professionals use the term "remote access tools" for legitimate access and control and "remote access Trojan" for illegal access and control.
The Birth and Rise of the RAT
The designation “Trojan” was inspired by the Greek myth of the Trojan horse that was used to conquer Troy in the Trojan War. It was supposedly a giant hollow horse with Greek soldiers hidden in its belly, given to the city of Troy as a peace offering. Once the horse gained entry into the city, the hidden soldiers let in the Greek army, and the city of Troy was ravaged.
In the same way, a RAT fools recipients into “inviting” the malicious software into their machine, and once installed, it provides access to the RAT hacker. RATs first appeared in the '90s, following the creation of the first legitimate remote access tools in 1989.
The initial intent was playful, and some saw RATs as an initiation ritual for young hackers. In the beginning, access was limited to simply changing the display background or making the CD tray pop in and out. But in time, more sophisticated RATs appeared, and the intent became more malicious. By the first decade of the new millennium, more malicious RATs such as DarkComet, Gh0st, and PoisonIvy entered the scene. Then, from 2010 to 2019, RATs with more potent features were designed, and targeted operating systems expanded from Windows to include mobile OS like Android and iOS.
How Does a Remote Access Trojan (RAT) Work?
RAT malware works just like non-malicious remote access tools. The difference is that RATs are designed to stay hidden, and they carry out tasks without the consent or knowledge of the machine’s owner.
To install a RAT on a machine, the hacker first needs to fool the owner into downloading the software. This can be done by sending an email with an attachment or a link to a seemingly legitimate website where the download is made. The downloaded application is designed to imitate a trustworthy remote access app, but once installed, it does not show up on any list of active software or running processes. This means a RAT may reside inside a poorly protected computer or server for a long time without being detected.
RATs are particularly dangerous because they give the hacker complete administrative control. As a result, attackers can use the infected machine or network as a proxy server to commit crimes anonymously. RATs are sometimes paired with a keylogger to increase the hacker's chances of obtaining sensitive information or login details. Because the hacker has access to the unsuspecting user’s camera and microphone, the victim's privacy is also completely compromised.
Who Are the Targets of a Remote Access Trojan (RAT)?
While anyone can be the target of a RAT, hackers will likely focus on targets that yield financial, political, or information gain. Also, individuals can be targeted, but the more profitable attacks are against governments or corporations.
1. Financial: Hackers use RATs to target financial institutions or corporations for money.
2. Political: Hackers access classified information, manipulate election results, or control national systems such as telecommunications, traffic systems, or utilities.
3. Information: Data can be as valuable—or even more valuable—than currency, so hackers will try to access information, delete files, and even sell sensitive data for identity theft, corporate espionage, or political manipulation.
How Do Cyber Criminals Use RATs Against an Enterprise?
A RAT attack on an organization typically begins with another form of cyber attack, such as malspam, phishing or spear phishing, or some other type of social engineering campaign. This is because the hacker first needs to get the recipient to unwittingly install the RAT software.
The deception is designed to avoid raising suspicions. For example, since enterprises likely communicate chiefly via email, the hacker may send a legitimate-looking email with an attached PDF or Word document. Once the employee opens the attachment or clicks on the link, the RAT gets installed. The RAT disguises itself using the same RDP services that legitimate remote access tools use. And because the infection can go undetected for a long period, RATs are potentially catastrophic for enterprises.
How To Detect a Remote Access Trojan (RAT) Infection
Even trained professionals and antivirus software can miss a Trojan infection, but there are signs you can look for:
- Overall lag: RATs running in the background may be invisible, but they use up processing power. So if your computer or system is running abnormally slow, it is prudent to scan for Trojans.
- Antivirus software failure: An antivirus program that constantly crashes or responds slowly may also indicate an infection.
- Unrecognizable files: Keep an eye out for strange files or programs you did not intentionally download or install.
- Website redirects or unresponsiveness: Constant redirects and web pages that do not load can also be a telltale sign of a RAT infection.
- Webcam in use: Most computers come with a webcam indicator light. When you use a program that accesses the webcam, such as a videoconferencing application, the indicator light will be on. So beware of the light coming on for no apparent reason.
These symptoms are in no way exclusive, and a RAT may cause any or all of them—or none of them, in some cases. Only very specific, thorough scans may uncover an infection, so prevention is always better than a cure.
Common Types of Remote Access Trojan (RAT)
There are many different types of RATs. Here are a few well-known examples and their origins:
- Back Orifice: Developed by Cult of the Dead Cow, this RAT finds and targets deficiencies in the Windows OS.
- Beast: Although developed back in 2002, Beast is still widely used against old and new Windows systems. It uses a client-server architecture similar to Back Orifice.
- Blackshades: This is a self-propagating RAT that spreads by sending out links to the social media contacts of the infected user. The hacker then uses the infected machines as a botnet to launch denial-of-service (DoS) attacks.
- CrossRAT: A CrossRAT infection is especially difficult to detect, and this RAT can target Linux, macOS, Solaris, or Windows systems.
- Mirage: An advanced persistent threat (APT) malware launched by a state-sponsored Chinese hacking group, Mirage's main goal is data exfiltration. It is generally used against government and military targets.
- Saefko. This RAT specifically targets Chrome users' browser histories to steal cryptocurrency transaction data.
Difference Between a Remote Access Trojan (RAT) and a Keylogger
While keyloggers and RATs are often used in tandem, they are not the same. RATs are malware intended for unauthorized remote access and control. Keyloggers are more specific in function, logging keystrokes to steal credentials or other sensitive data.
Keyloggers can come in the form of software or hardware, and they are not all illegal, as some devices have them for security or maintenance. Illegal keyloggers can usually be discovered by looking for suspicious activity within running processes. RATs, on the other hand, are more difficult to discover and can be used for a much broader range of illegal activities.