What is a Remote Access Trojan (RAT)?
by Tina Siering
How does a remote access Trojan work?
This form of malware aims to provide the attacker with information about the infected system or to transfer control over the computer to the hacker. The technique of remote control is not unknown in IT and is also used with regular software.
For example, support staff like to use TeamViewer software to establish connections to remote computers. The advantage is that TeamViewer enables remote access and remote control. This means that the support employee does not have to travel to the affected PC, but can carry out the work from their own workstation.
For this purpose, the support employee is given extensive access rights to the target system via the connection. Among other things, the contents of the screen are transferred and the mouse and keyboard can be controlled. The support agent is also able to install software and make other changes to the system via the remote connection.
Remote access Trojans work on a very similar principle. In fact, some cyber criminals also use TeamViewer for criminal activities. However, TeamViewer asks the user at the target computer to agree to the connection and allow remote control. Thus, if this software is used to attack, the potential victim has to fall for the attackers' tricks and grant the access himself. This is not the case with a remote access Trojan, because it establishes the connection secretly and without asking. Thus, in case of a successful attack with such a Trojan, the victim does not notice that a stranger has access to his computer.
In our last blog article, we drew attention to warnings from the Federal Office for the Protection of the Constitution, which currently informs that the RAT variant HyperBro is currently frequently used in cyber attacks.
What is the difference between a remote access Trojan and other Trojans?
RATs are a subcategory of Trojans. This class of malware is united by the fact that they surreptitiously inject a function onto the computer that the user has not consented to install. Other types of Trojans, for example, install software that farms cryptocurrencies for the criminals or add the infected system to a bot network. It also happens that a Trojan uses the system for coordinated DDoS attacks. In contrast, the functions of remote access Trojans are aimed at giving the attacker control over certain areas of a computer.
What are the properties of Remote Access Trojans?
The properties of these remote access Trojans are quite diverse. For example, some programs record keystrokes and forward them to the attacker. In this way, the hackers are able to intercept passwords, accounts or even bank details. Other Trojans transmit the screen content so that the hacker can observe the victim's actions in real time. This also gives the attacker the opportunity to steal passwords and other information.
Furthermore, it is possible that the Trojan specifically searches for data and transmits it to the hacker. In this way, the remote access Trojans can also be used for industrial espionage or blackmail. Among other things, the Trojans also give the attacker control over peripheral devices that are connected to the computer. These are primarily the webcam or the microphone. The hacker then has the ability to record and gain access to audio and video data. In the same way, the attacker is able to take screenshots of the active screen. The visible information thus gets to the criminals who control the Trojan. All of this happens completely covertly, without the user of the computer noticing anything.
Another function of these remote access Trojans is to open the possibility for further malware reloading. In this way, the attacker infiltrates further dangerous malicious code into the network. Thus, a RAT is also a starting point for attacks with ransomware or other malware. This is followed by encryption of the hard drive contents and extortion.
Remote access Trojans are also often able to grant the attacker full access to the infected system. Thus, the hacker has all the rights that an administrator has. This is particularly dangerous because it enables the attacker to attack the entire network. In this situation, all scenarios are conceivable, from data espionage to the preparation of a large-scale ransomware attack that compromises the entire network of an organization.
How do remote access Trojans infiltrate target systems?
When spreading remote access Trojans, cybercriminals rely on the typical ways. Manipulated websites are popular, for example. Here, the criminals infect visitors with drive-by downloads or trick users into downloading a Trojan disguised as normal software.
Similarly, the criminals try to seduce unsuspecting users with attachments in emails to download and install the Trojan. This infection route is also known from other malware and especially ransomware. Another way RATs get onto systems is through vulnerabilities in software. Such vulnerabilities are created by unpatched programs or even zero-day exploits. In some cases, such gaps allow malicious code to be executed or transferred to a target system.
What makes Remote Access Trojans so dangerous?
There are two main aspects that make a remote access Trojan so threatening. The first factor is the stealthy approach to an attack. In many cases, attackers are interested in remaining undetected for as long as possible, or even completely undetected. This is in contrast to ransomware attacks, where the hackers completely block the infected systems. Hackers who carry out attacks with a remote access Trojan want to remain undetected. This gives them a chance to use the captured information, for example access data to Internet banking, for their own purposes without being disturbed.
The second factor is the far-reaching privileges that attackers gain from a remote access Trojan. The Trojan establishes a direct connection to the hacker and in many cases gives him full control over the system. Accordingly, the attackers are able to cause widespread damage. Potentially, the entire network is compromised. For the affected user and his system, all passwords stored on the computer are considered insecure.
The combination of these two factors makes for an enormously high threat situation. The Remote Access Trojan is also a popular choice for attacks in the context of Advanced Persistent Threats, i.e. targeted attacks. Here, the attackers select a specific organization or person because they are interested in specific information. This could be data stored on a system or access information that the target person has.
At the same time, remote access Trojans are difficult to detect. That is why attacks with such a Trojan repeatedly remain undetected for long periods of time. If hackers have access to systems for weeks or even months and have administrative rights, the entire network is at risk. In many cases, the attackers use this time to set up further backdoors or steal data on a large scale.
Examples of well-known Remote Access Trojans
The concept of a remote access Trojan is by no means new. One of the first known Trojans of this class, Back Orifice, was active as early as 1998. This Trojan was specifically targeted at Windows-type operating systems. The way it works has hardly changed over the years. Back Orifice already used the client-server architecture to grant the attacker control over the system.
PoisonIvy is another example of a remote access Trojan. This malware made repeated appearances over many years, including during the Nitro attacks in 2011, when nearly 50 major companies were the target of a large-scale espionage operation. PoisonIvy was used because the Trojan is capable of stealing passwords, transferring files, and taking screenshots of the screen contents.
How can Remote Access Trojans be detected?
Most remote access Trojans are very sophisticated. Due to their special mode of operation, they are able to trick classic IT security techniques once they have reached the target system unnoticed. These include, above all, the firewall and virus scanners.
The remote access Trojan creates its own server on the compromised system. This also involves opening the port in the firewall. Thus, the first security measure is directly overcome. Then the Trojan independently connects to the hacker's system. For this purpose, the malware uses the principle of reverse connection. In other words, the Trojan reports to its client, and the hacker himself does not actively attempt to connect.
This special approach is what makes remote access Trojans so dangerous. However, there are techniques that can be used to detect these Trojans and prevent attacks. Active systems for early attack detection are suitable for this.
Early attack detection identifies unusual activity on the network. This is done by monitoring the logs and logs in the network. For example, early attack detection scans operating system and router logs. It is precisely in these logs that traces of remote access Trojan activity can be found. This includes, for example, the creation of a server for data transmission and changes to firewall settings. Connecting a computer with an unknown IP outside its own network is also a suspicious action. Such activities are immediately reported by the attack early warning system to those responsible in IT. They then have the opportunity to react immediately to the report and check the affected system and the entries in the logs more closely. In this way, attacks by a remote access Trojan can be prevented as soon as it becomes active.
Conclusion on Remote Access Trojans
This form of Trojan poses a particular threat to networks due to its special attack vector. Companies and organizations in particular are repeatedly the focus of targeted attacks with RATs. There is no complete protection against these Trojans, as they enter the network in different ways. It is therefore important to concentrate on recognizing the specific attack patterns. These can be used to detect an active remote access Trojan in one's own network. Systems for early attack detection are suitable for this purpose.