In my recent article on Phishing, I discussed how this technique remains one of the most widely used techniques for gaining unauthorized access to valuable company information and computer systems.
In this NNIT Security Insights article, I take a deep dive into the area of Remote Administration Tools (RATs), which are sometimes included as malware payloads in phishing emails.
What is a RAT?
A Remote Administration Tool is often used by IT service desks to provide remote desktop services to PC users in order to install software applications or solve minor issues. The tool is a great asset to service desks and has revolutionized Global IT support capabilities.
However the acronym "RAT" is more commonly associated with a more sinister version of this functionality, whereby a small piece of software code is added as the payload in a phishing email, or stored on a server waiting to be downloaded by a PC user clicking on a phishing link in an email. Once activated, the RAT runs silently in the background unknown to the PC user and provides full remote administration capabilities to an external attacker, who is then able to control the PC as if they were sitting directly in front of it.
RAT phone home
Following activation, the first thing a RAT needs to do is to phone home to its "master". In reality, this involves the RAT sending out a timed beacon to its Command and Control server located on the Internet to indicate it is now active and ready for use.
Since the RAT is located inside an organization's network, the RAT effectively acts as a backdoor for the RAT's master to gain full access to the organization's network.
The RAT is very powerful and often has some or all of the following capabilities:
- Full desktop control whereby the remote attacker can operate all functionality of the PC as if they were sitting in front of it.
- Data ex-filtration whereby the remote attacker uses the compromised PC to gather documents containing confidential information and intellectual property, which they then transmit out to their remote servers located on the Internet.
- Key-logging whereby all information typed in by the user is saved and sent to the remote attacker. This is often used for the collection of user credentials.
- Screen-grabbing whereby the PC's screen contents can be viewed in real-time by the remote attacker.
- Webcam / Microphone monitoring whereby a live feed from the PC's webcam and sounds from the PC's microphone can be received and monitored in real-time by the remote attacker.
Purpose of RAT in attack life-cycle
RATs are used throughout an attack life-cycle, but are especially used in the early stages of an attack when attackers are looking to establish a foothold in an organization. Here they assist attackers by providing remote access, and enable them to gather information that can assist them to move deeper into the organization's network. Later in an attack life-cycle the RAT assists with data ex-filtration activities.
Protect yourself with these practical steps
- Think about online security as you carry out your daily work activities.
- Be cautious with unexpected emails from unknown senders, especially those containing a generic greeting, having a poor use of language, including a request to click on link or open attachment and / or a threat / incentive to make you take immediate action.
Protect your organization with these practical steps
- Raise security awareness across the organization regarding online security. Advise staff how to recognize a phishing email and what to do in the event of a security incident
- Remove local administration rights from local office users to prevent malware from installing itself in user PCs
- Ensure antivirus, whitelisting and email spam filters are regularly updated to protect against incoming phishing e-mails, executable files and macros
- Implement email quarantine for attachments and links to allow central scanning
- Monitor for abnormal user behavior, for example where user credentials are used to log in to a system when the user is not normally at work
- Implement IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems) and Anti-Malware systems to monitor the network for known indicators of compromise patterns
- Implement standard system patching processes to ensure that all systems, software, PCs and servers are patched for known vulnerabilities.