Remote access tools (RATs) are an interesting tool to maliciously have placed on a
system. When these initially were created years ago, the focus was to gain access
to the target’s computer and turn on the webcam and/or microphone to record the
unsuspecting user. The next iteration was coded so the “On” light was toggled off,
even though this was on. As time passed the technology improved, and this class of
malware likewise improved to increase its functionality, performance, and malicious antics.
system. When these initially were created years ago, the focus was to gain access
to the target’s computer and turn on the webcam and/or microphone to record the
unsuspecting user. The next iteration was coded so the “On” light was toggled off,
even though this was on. As time passed the technology improved, and this class of
malware likewise improved to increase its functionality, performance, and malicious antics.
Background
The new iteration is powerful malware. This has substantially increased the functions
involved. This, in its intended use, is an all-in-one-malware. This particular malware has
been in use since at least 2015.
involved. This, in its intended use, is an all-in-one-malware. This particular malware has
been in use since at least 2015.
Operations
This has been coded, simply, to take over the target’s computer. The end goal is to
exfiltrate data and/or monitor the network. The RadRAT connects to the attackers C&C servers,
which is a normal SOP. This allows for the complete control of the compromised system. This
also allows the malware to move laterally through the target’s network. To make things
interesting, this is coded with rootkit-like methods to evade detection. Two of the areas
this focuses in on are credential and NTLM hash harvesting. There are other areas where
this is working, including retrieving Windows passwords, however, these are the primary thrust.
exfiltrate data and/or monitor the network. The RadRAT connects to the attackers C&C servers,
which is a normal SOP. This allows for the complete control of the compromised system. This
also allows the malware to move laterally through the target’s network. To make things
interesting, this is coded with rootkit-like methods to evade detection. Two of the areas
this focuses in on are credential and NTLM hash harvesting. There are other areas where
this is working, including retrieving Windows passwords, however, these are the primary thrust.
The malware is exceptionally problematic in that it will, during the infection stage, checks
the flag values to expedite the attack and increase the areas it may traverse.
the flag values to expedite the attack and increase the areas it may traverse.
In Closing
Any malware on a system is not beneficial and provides for problematic issues. Of the
malware present in the wild, there are less intrusive samples to be infected with. This
malware had been coded to complete its due diligence with the network and files while
continuing with its mission.
malware present in the wild, there are less intrusive samples to be infected with. This
malware had been coded to complete its due diligence with the network and files while
continuing with its mission.
Resources
Budaca, E. (2017). RadRAT: An all-in-one-toolkit for complex espionage ops.
E Hacking News. (2018, April 16). Romanian cybersecurity firm reveals all-in-one
espionage tool: RadRAT. Retrieved from
http://www.ehackingnews.com/2018/04/romanian-cybersecurity-firm-reveals-all.html
espionage tool: RadRAT. Retrieved from
http://www.ehackingnews.com/2018/04/romanian-cybersecurity-firm-reveals-all.html
No comments:
Post a Comment