Remote Access Trojan (RAT)
What Is Remote Access Trojan?
Remote access and control of computers is not entirely criminal. For years, tools for accessing computers and servers remotely—such as Microsoft’s Remote Desktop Protocol (RDP) and TeamViewer to access computers and remotely control servers so they can work outside of the office or provide technical user support.
With the rise of remote work during the COVID-19 pandemic and the scalability demanded by globalization and digital transformation, remote access tools usage has seen a significant rise. However, using remote access and control for nefarious purposes is also becoming more common.
Remote Access Trojans (RATs) are a considerable threat to organizations worldwide. RAT hackers have developed several Trojan varieties, and security teams and antivirus software developers are working hard to keep up.
But what is a RAT, and how does it work? More importantly, how can you detect a RAT infection or protect organizational resources from becoming infected in the first place?
According to the Remote Access Trojan definition, a RAT is a form of malware that provides the perpetrator remote access and control of the infected computer or server. Once the hacker gains access, they can use the infected machine for several illegal activities, such as harvesting credentials from the keyboard or clipboard, installing or removing software, stealing files, and hijacking the webcam. The hacker can do all this without the owner's consent or knowledge.
However, not all remote access is illegal. So to differentiate, professionals use "remote access tools" for legitimate access purposes and the term "Remote Access Trojan" for criminal access and control.
The Birth and Rise of the RAT
The designation “Trojan” references the mythological Trojan horse used to conquer Troy in the Trojan War. According to Greek mythology, the Greeks left this giant hollow horse as an offering to the goddess Athena. However, Greek soldiers were hiding in its belly. Once the Trojan horse entered the city, the soldiers ravaged the city of Troy.
In the same way, a RAT fools recipients into “inviting” the malicious software into their machine. Once installed, it provides access to the RAT hacker. RATs first appeared in the '90s following the creation of the first legitimate remote access tools in 1989.
The initial intent was playful, and some saw RATs as an initiation ritual for young hackers. The remote access allowed hackers to simply change the display background or make the CD tray pop in and out. However, more sophisticated RATs appeared over time, and the intent became more malicious. By 2010, more malicious types of malware emerged, such as DarkComet, Gh0st, and PoisonIvy. Then, from 2010 to 2019, RATs with more potent features entered the scene, and the targeted operating systems expanded from Windows to include mobile OS like Android and iOS.
How Does a Remote Access Trojan (RAT) Work?
RAT malware works just like non-malicious remote access tools. The difference is that RATs are designed to stay hidden and carry out tasks without the device owner's consent or knowledge.
To install a RAT on a machine, the hacker must first fool the owner into downloading the software. The bad actor might send an email attachment or a link to a seemingly legitimate website where the user can download the software.
The downloaded application imitates a trustworthy remote access app, but once installed, it does not show up on any list of active software or running processes. This means a RAT may reside inside a poorly protected computer or server for a long time without detection.
RATs are particularly dangerous because they give the hacker complete administrative control. As a result, attackers can use the infected machine or network as a proxy server to commit crimes anonymously. RATs are sometimes paired with a keylogger to increase the hacker's chances of obtaining sensitive information or login details. Because the hacker has access to the unsuspecting user’s camera and microphone, the victim's privacy is also completely compromised.
Who Are the Targets of a Remote Access Trojan (RAT)?
While anyone can be the target of a RAT, hackers will likely focus on organizations that yield financial, political, or information gain. Individuals can also be targets, but the more profitable attacks are against governments or corporations.
- Financial: Hackers use RATs to target financial institutions or corporations for money.
- Political: Hackers access classified information, manipulate election results, or control national systems such as telecommunications, network traffic systems, or utilities.
- Information: Data can be as valuable, or even more valuable, than currency. Hackers will try to access information, delete files, and even sell sensitive data for identity theft, corporate espionage, or political manipulation.
How Do Cyber Criminals Use RATs Against an Enterprise?
A RAT attack on an organization typically begins with another form of cyber attack, such as malspam, phishing or spear phishing, or some other type of social engineering campaign. The hacker first needs the recipient to unwittingly install the RAT software, so they use these deceptive tactics designed to avoid raising suspicions.
For example, since enterprises likely communicate chiefly via email, the hacker may send a legitimate-looking email with an attached PDF or Word document. Once the employee opens the attachment or clicks on the link, the RAT gets installed. The RAT disguises itself using the same RDP services that legitimate remote access tools use. Since the infection can go undetected for an extended period, RATs are potentially catastrophic for enterprises.
Recent RAT Attacks
Threat actors have been deploying different RAT attacks in recent years, even throughout 2022.
- A hacker group called RomCom launched RAT attacks in late 2022 by impersonating popular products, such as SolarWinds Network Performance Monitor and PDF Reader Pro.
- A Remote Access Trojan called Alchimist reportedly targeted Linux, macOS, and Windows systems in October 2022. Alchimist can deliver malware, take screenshots, and perform other malicious activity.
- A recently designed RAT named Cloud9 hacks the Chrome browser. It steals online accounts and targets a user’s browser for distributed denial-of-service (DDoS) attacks.
How To Detect a Remote Access Trojan (RAT) Infection
Those trying to figure out how to detect RAT software may be comforted by the fact that even trained professionals and anti-malware software can miss a Trojan infection, but there are signs you can look for:
- Overall lag: RATs running in the background may be invisible, but they use up processing power. So if your computer or system is running abnormally slow, it is prudent to scan for Trojans.
- Antivirus software failure: An antivirus program that constantly crashes or responds slowly may also indicate an infection.
- Unrecognizable files: Keep an eye out for strange files or programs you did not intentionally download or install.
- Website redirects or unresponsiveness: Constant redirects and web pages that do not load can also be a telltale sign of a RAT infection.
- Webcam in use: Most computers come with a webcam indicator light. The indicator light turns on when you use a program that accesses the webcam, such as a videoconferencing application. So beware of light coming on for no apparent reason.
These symptoms are in no way exclusive, and a RAT may cause any, all, or none of them. Only very specific, thorough scans may uncover an infection, so prevention is always better than a cure.
Common Types of Remote Access Trojan (RAT)
There are many different types of RATs. Here are a few well-known examples and their origins:
Developed by Cult of the Dead Cow, this RAT finds and targets deficiencies in the Windows OS.
Although developed back in 2002, Beast is still widely used against old and new Windows systems. It uses a client-server architecture similar to Back Orifice.
Blackshades is a self-propagating RAT that spreads by sending out links to the social media contacts of the infected user. The hacker then uses the infected machines as a botnet to launch denial-of-service (DoS) attacks.
A CrossRAT infection is especially difficult to detect, and this RAT can target Linux, macOS, Solaris, or Windows systems.
This RAT specifically targets Chrome users' browser histories to steal cryptocurrency transaction data.
Difference Between a Remote Access Trojan (RAT) and a Keylogger
While bad actors often use keyloggers and RATs in tandem, they are not the same. RATs are types of malware infections intended for unauthorized remote access and control. Keyloggers are more specific in function, logging keystrokes to steal credentials or other sensitive data.
Keyloggers can come in the form of software or hardware. They are not all illegal, as some devices have them for security or maintenance. Illegal keyloggers can usually be discovered by looking for suspicious activity within running processes. RATs, on the other hand, are more challenging to discover and can be used for a much broader range of illegal activities.