Detecting Remote Access Trojans can be very challenging because they mimic legitimate commercial remote administration tools, open legitimate network ports, and perform very surgical operations that don't resemble typical malware techniques, says Udi Shamir, CSO and head of SecurityLabs, SentinelOne.
No doubt this stealth aided attackers who used the Carbanak malware RAT, which, according to "Carbanak APT: The Great Bank Robbery", February 2015, Kaspersky Labs, infected banks globally, stole funds, and wreaked financial havoc estimated at up to $1 billion in losses.
To deal with these low-down, filthy, social-engineering, vulnerability-crawling varmints, you'll need to learn their aliases, profile their capabilities, and uncover how to block, starve, and blind them before blowing them away.
You've come a long way since BackOrifice, baby!
RATs infest the enterprise most often through the social engineering of phishing attacks, using links or attachments such as PDFs. A PDF would have code, macros, and JavaScript embedded in it so that when you open it, it exploits the intended vulnerability and downloads additional components, reassembling the malware to install on the target system, says Fengmin Gong, CSO, Cyphort. They also enter from infected sites during drive-bys.
Common RATs include Sakula, KjW0rm, Havex, Agent.BTZ/ComRat, Dark Comet, AlienSpy, Heseber BOT, the Animal Farm family, and Carbanak. Sakula, chief suspect RAT in the recent OPM (Office of Personnel Management) attack steals network admin passwords using Mimikatz software. The KjW0rm was probably the culprit in a string of French TV station breaches. "Malware developers wrote KjW0rm in VBS, making it difficult to detect," says Shamir. The Havex RAT targets industrial control systems (ICS) and uses its variants / mutations as well as HTTP and HTTPS communications to stealth its activity. Agent.BTZ/ComRat is another ICS RAT, which experts believe to be of Russian government origin.
Crypters are software tools that use a combination of encryption, obfuscation, and code manipulation of malware to make them FUD (Fully Undetectable) by legacy security products.
According to the blog post "Examining the CyberCrime Underground, Part One: Crypters", The Research Center at Palo Alto Networks
Dark Comet uses Crypters to hide from antivirus tools, says Shamir. "Crypters are software tools that use a combination of encryption, obfuscation, and code manipulation of malware to make them FUD (Fully Undetectable) by legacy security products," according to the blog post "Examining the CyberCrime Underground, Part One: Crypters", The Research Center at Palo Alto Networks. Apple products are not immune to RATs as the RAT AlienSpy attacks Apple OS X. Because OS X uses only traditional security products such as antivirus, AlienSpy, which also uses anti-analysis techniques to avoid detection, has a free pass on these systems, according to Shamir. The Heseber BOT uses VNC to avoid detection.
The Animal Farm espionage gang used RATs including Dino, Bunny, Casper, and Babar, which have multiple, stealthy components and nation state origins (potentially inside France) to siphon data from foreign military and government entities. Carbanak gave attackers video access inside financial institutions to observe transactions and learn how to funnel money out.
How to block, starve, and blind them!
To block RATs, you should apply patches liberally to operating systems and applications in general and to browsers, PDF readers, Flash, Java, and MS Office in particular to reduce successful exploitation by reducing the attack surface, according to Jason Trost, Labs Director, Threat Stream. Use whitelisting to prevent suspicious, unauthorized .EXE and DLL file activity. This prevents users from executing anything in the blind that could have adverse consequences, such as RATs and related malware. Unless you use Dynamic DNS services, block them. "This is a weak control that counts on the heavy use of Dynamic DNS by malware operators and the fact that it is often not necessary in enterprise environments," says Trost. If you must use Dynamic DNS, block any unused domains.
Starve RATs using IDS/IPS that detect known network-based signatures of RAT activity, including signatures for C2 protocols, RAT user agents, and non-encrypted traffic over Port 443, says Trost. In Intrusion Prevention mode, this could block RAT traffic leaving the enterprise. Leverage host-based Indicators of Compromise (IOC) to locate RATs and sweep endpoints often to identify potential compromises, Trost says. Likewise, look for network IOCs and traffic moving from enterprise devices and machines to known C2 domains, IP addresses, and URLs.
Security experts harp about network segmentation for good reason: it works. These kinds of controls will starve the RATs for information that is available only through access to other networks inside the perimeter. This will help to slow them down long enough that perhaps you can discover them using signature-based or behavior-based detection techniques. While blocking unused ports, apply web proxies and filtering to detect RATs that are sending data out of the organization; this enables content scanning in correlation with threat intelligence, which can detect RATs, according to Trost.
Finally, blind RATs with honeypots that keep them busy while you detect them. They don't get to your data or see that you are fooling them until it's too late.
With the sophisticated new RATs it will be difficult at best to use automated, signature-based tools to remove them. Behavior-based methods are necessary to find every instance of the RAT, every trace of code that might try to re-infect systems. Then to remediate you will have to restore to a restore point such as with snapshot backup technologies. "You have a periodic snapshot of your system that you can restore to at a point in time prior to infection," says Gong.
Keep your guard up
RATs are among the continually-evolving complex attack tools that APTs have at their disposal. As behavior-based intrusion detection tools and techniques grow in effectiveness and number and as they collaborate with other maturing security technologies and policy-based approaches to effectively surround RATs at the earliest detectable event, successful attacks will hopefully be relegated to moments when we turn our back, or let our guard down, which we should never do. Be proactive!