What is RAT malware?

A remote access trojan (RAT), also referred to as a remote administration tool, is a sophisticated form of malware that enables an unauthorized individual to gain clandestine remote control of a target's computer system.

Commonly propagated through phishing emails that rely on manipulation and social engineering techniques, RATs pose a significant threat to cybersecurity.

The distinctive feature of RATs is unauthorized access to the victim's computer that attackers gain, allowing them to execute commands, browse files, and even modify system settings without the user's knowledge or consent.

RATs also tend to operate in a clandestine manner, hiding their activity from security software. This is in contrast to other types of malware, such as ransomware that tend to make their presence known to the victim by presenting them with a ransom note.

What can a RAT do to a computer?

Once a RAT infiltrates a system, it opens the door to a myriad of malicious activities. These can include, but are not limited to:

• Information stealing: Such malware can exfiltrate different types of sensitive information from the infected computer to its command-and-control server (C2), controlled by the attacker. This includes passwords, credit card numbers, messaging app data, browser history, and cookies.
• File system manipulation: It can also interact with the users’ personal files by modifying them or simply stealing.
• Recording keystrokes and screen activity: Many RATs are equipped with the ability to track the keyboard and screen activity of the victim, including by taking screenshots and screencasting, in order to gather information on their login credentials and spy on them.
• Controlling the webcam and microphone: Some RAT malware families can hijack the camera and microphone of the infected device to capture private conversations, confidential meetings, and photographs or videos.
• Dropping other malware: Some RATs can have the additional functionality of deploying extra payloads on the infected system.

The particular set of capabilities depends on the malware’s configuration. For instance, the known malware OrcusRAT has a sophisticated modular architecture, enabling cyber threat actors to craft personalized plugins that seamlessly integrate with the malware.

Check out a technical analysis of OrcusRAT in our blog.

This modular design, popular across many RAT families, enhances the malware’s scalability and ease of management, making it simple to adjust its functionalities according to the specific requirements of different cyber campaigns.

How do RATs spread?

Phishing emails are a prevalent vector utilized by Remote Access Trojan operators to spread their malicious activities. These deceptive emails employ various techniques to lure unsuspecting users into clicking on malicious attachments or links.

Attachments found in phishing emails can be in the form of seemingly harmless documents, such as PDFs or Word files or links. However, cybercriminals cleverly embed malicious code within these attachments and links, aiming to exploit vulnerabilities in computer systems and gain unauthorized remote access. Once clicked, these attachments or links initiate the download and installation of the RAT onto the victim's computer.

RATs can also end up on users’ devices through P2P file-sharing websites. These malicious software can masquerade as legitimate files, such as movies, music, or programs.

Alternatively, RATs can be downloaded by special loader malware, which is intended for the purpose of disseminating different payloads on compromised systems. GuLoader is a prime example of such malware, as it has been instrumental in infecting thousands of machines around the world with multiple RAT families, including Remcos.

How does a RAT operate on an infected system?

In order to begin the infection process, RATs typically exploit vulnerabilities present in the operating system or applications. For instance, they may employ zero-day attacks to exploit undisclosed vulnerabilities or leverage well-known weaknesses in third-party software.

Once launched, RATs employ persistence mechanisms such as disabling antivirus software and utilizing rootkit methodologies, to ensure their continuous operation even after the user logs out or restarts the computer.

After establishing persistence, RATs tend to connect to a C2 server to grant the attacker full control over the compromised computer, allowing them to execute various malicious actions, including data exfiltration, installation of additional malware, and the execution of malicious commands.

RATs can also create and maintain hidden backdoors within the infected system. These covert entry points serve as secret access channels, letting attackers maintain control even if the RAT itself is removed or disabled.

We can examine the execution process of a typical RAT by analyzing a sample of njRAT in the ANY.RUN sandbox.

Analyze malware for free in a fully interactive cloud sandbox – request demo.

Upon successful infiltration of the target device, njRAT swiftly initiates its operation. One of its primary tactics involves the immediate self-renaming of the initial file, concealing its presence from unsuspecting users.

Additionally, njRAT possesses the capability to spawn a child process, often strategically injecting its malicious code into legitimate processes such as RegSvcs.exe and RegAsm.exe.

It also leverages the power of the Task Scheduler to ensure its persistence within the compromised system. Through this mechanism, the child process responsible for executing njRAT's main malicious activities is scheduled to run at predetermined intervals.

The malware then begins exfiltration of sensitive information, establishing connections with command and control (C2) servers.

The lifecycle of njRAT demonstrated by ANY.RUN

The most common RATs today?

Staying informed on the latest developments in the cybersecurity landscape, we can use ANY.RUN’s Malware Trends Tracker. This service offers a comprehensive view of the most widespread malware families currently active on the global scale.

Here are top three RATs in terms of their popularity, according to the service:

• Remcos: This RAT has been a persistent threat since its emergence in 2016. Continuously updated and actively maintained, this malware grants attackers remote control over infected PCs. It is offered as malware-as-a-service.
• AsyncRAT: First observed in 2019, AsyncRAT has evolved, adapting to various distribution methods, including spam emails, impersonations, and phishing campaigns. The malware primarily targets IT, hospitality, and transportation industries across the Americas, aiming to steal personal credentials and banking details.
• njRAT: This malware operates on the .NET framework. It enables hackers to remotely control a victim's PC, giving them access to the webcam, keystrokes, and passwords stored in web browsers and desktop apps.

How can I detect a RAT?

Organizations with lax security controls are easy prey for RAT attacks. One employee's negligence in handling external files and links can set off a domino effect, compromising the entire network.

To add an extra layer of security, make sure to use ANY.RUN, a cloud-based sandbox for analyzing suspicious files or URLs to determine if they pose any threat. The service generates reports on each sample submitted by users, providing them with IOCs and other crucial information needed for mitigation.

This platform ensures a safe and controlled environment for users to interact with potentially harmful elements, without putting their devices and data at risk.

Try ANY.RUN for free – request a demo!