A remote access trojan (RAT) is a type of trojan viruses designed to grant an attacker remote control over an infected computer. Once the RAT is running on the computer, the operator can send it commands to collect data or perform other malicious actions. Some RATs are designed to be modular software, allowing them to offer a wide range of capabilities, and to download other malware to the system.
RATs are dangerous because they’re commonly used to provide the attacker with an initial foothold on an infected system. Using it, the attacker can perform reconnaissance, take different malicious actions, or download and deploy other malware (ransomware, etc.) to carry out specialized attacks.
RATs are often one of the first pieces of malware that an attacker installs on an infected computer. If they don’t infect the computer directly, they’re installed by dropper or downloader malware designed solely to slip past an organization’s defenses and install more sophisticated malware.
Cyber threat actors use various methods to infect a computer with RATs. Some common examples include:
Phishing Attacks: Phishing is a common vector that attackers use to gain initial access to an organization’s environment. A RAT may be included in a malicious attachment or downloaded from a phishing website linked from the email.
Infected Websites: Some attackers deploy their own phishing sites or attempt to infect legitimate ones with malware. Visitors to the site are encouraged to download files containing RATs.
Software Vulnerabilities: Some cyberattack campaigns involve exploiting vulnerable software to infect systems with malware. Remote code execution (RCE) and similar vulnerabilities allow an attacker to run malicious code on a device, including downloading and launching a RAT.
Compromised Credentials: Attackers can use guessed or breached credentials to deploy malware in an organization’s environment. With legitimate access, the attacker can download and run the malware directly, expanding their access to the system.
Droppers/Downloaders: Some cyberattacks use multi-stage malware where one malware downloads and runs another. This may involve infecting a system with a downloader or dropper that loads and runs the RAT on the system.
After being executed on a device, RATs typically engage in information collection. Some common tactics include:
Collecting information about the infected system (name, OS, usernames, etc.)
Identifying files of interest for exfiltration
Gaining access to keystrokes, microphone, and webcam
This and other information collected by the malware will be exfiltrated to the RAT operator. This provides additional context for them to plan their attack. For example, a RAT that infects a particularly high-value target may be a focus for data theft, while other infected systems may just be added to a botnet.
RATs also commonly conceal their presence on a system and strengthen their foothold. This could include taking steps to hide their presence from endpoint security systems and establishing methods to reinstall or relaunch themselves after being deleted or a system restart.
The primary purpose of a RAT is to provide an attacker with remote access to and control over an infected system. For this to occur, the malware and its operator need to be able to communicate with one another.
Most RATs communicate over the network while taking steps to conceal their command and control (C2) channels from detection. For example, a RAT may be configured to make HTTPS requests to an attacker-controlled domain so that exfiltrated data and commands to the malware can be included in the requests and responses. This both conceals the RAT’s communications in a common type of traffic and allows the data to be encrypted, reducing the risk of detection.
RATs can be extremely versatile malware, and different variants have different areas of focus. Some common capabilities of RATs include:
Keylogging: Keyloggers are designed to log each keystroke that a user makes on a computer or other infected device. This enables an attacker to collect passwords, payment card information, and other sensitive data typed into the device.
Surveillance: Some RATs have surveillance capabilities designed to monitor the device owner’s activities. For example, these RATs may use the device microphone and camera to spy on the target or use geolocation on mobile devices to track the user’s movements.
Data Exfiltration: Many RATs include the ability to collect and exfiltrate potentially sensitive data on compromised devices. For example, a RAT may scan files with document extensions (docx, pdf, etc.) for keywords or other sensitive data and exfiltrate any matches.
Rootkit: A rootkit is malware that conceals the presence of it and other malware on the system. For example, it might intercept requests to list the files in a folder or the processes running on a system and remove those associated with the malware before allowing the request to be completed.
Botnet: RATs may also add an infected device to a botnet to allow it to be used in automated attacks. Devices in a botnet are commonly used to perform distributed denial-of-service (DDoS) attacks, credential stuffing, and vulnerability scanning on the attacker’s behalf.
RATs pose a significant threat to organizations and individuals alike because they provide an attacker with remote access to and control over a compromised device. Some of the potential impacts include:
Data Theft: RATs commonly scan infected devices looking for sensitive and valuable data. This could include corporate data or an individual’s personal information.
Spying and Stalking: RATs installed on a device can often access the phone, microphone, and GPS (if applicable). This allows the attacker to spy on their target, potentially enabling them to collect blackmail material or collect other information about their habits.
Multi-Stage Threats: Often, a RAT is the first stage in an attack. The attacker may use their access for other purposes, such as running ransomware or using the device in a botnet.
Botnets can target an organization or an individual. Some cybercrime groups use RATs as part of their standard attack campaign. For example, Mustang Panda, an APT group, is well-known for deploying PlugX, a RAT, as part of their attacks targeting governments around the world.
High-profile individuals may also have their devices infected with RATs. One famous example is the Pegasus malware, which was developed by the NSO Group and made accessible to governments to monitor journalists or members of the opposition.
The first step to remediating a RAT infection is identifying its presence on a system. Some potential indicators of compromise (IoCs) include:
Anomalous Network Activity: RATs are designed to accept commands from their operator and exfiltrate data from an infected system. This can result in unusual network activity, which can be a sign of infection.
Degraded System Performance: Some applications of RATs — such as participating in a botnet — can consume significant system resources. If a system suddenly becomes slower, this could be a sign of infection.
Unauthorized Access Attempts: RATs will often scan a computer’s filesystem for sensitive data and the network for other systems to infect. Failed access attempts in log files could be a sign of infection.
Security Software Alerts: Antimalware and other security software is designed to identify the presence of RATs and other threats on a system. Alerts from these systems are a strong sign of infection.
While RATs can be detected via all of these means, antimalware is the best defense against a potential infections. Installing reputable software on every system and configuring it to perform regular updates and scans is the best way to identify infections on a device.
Organizations can also implement other security best practices to help with identifying RATs. For example, monitoring network traffic and access requests can help to identify if malware is communicating with an attacker or attempting to move laterally through an organization’s network.
The best way to manage the risk posed by a RAT is to prevent infections from occurring in the first place. This includes blocking common infection vectors via the following best practices:
Email Filtering: Phishing is a common attack vector for RATs and other malware. Email filtering solutions can identify malicious attachments or links in an email and block phishing emails from reaching a user’s inbox.
Employee Training: RATs commonly attempt to trick users into clicking on a link or opening a file containing malicious content. Training users to recognize these threats and respond appropriately prevents malware from achieving initial access to a device.
Network Security Practices: Organizations can implement various network security measures to manage the threat of RATs. For example, implementing IP and DNS filtering for known malicious domains can stop downloads of RATs from malicious sites or cut off a RAT’s communications with its operator.
Network Security Solutions: Deploying network security solutions, such as firewalls and intrusion detection and prevention systems (IDS/IPS), can provide invaluable visibility into and control over network traffic. An IDS/IPS can identify malware or C2 communications in network traffic and trigger incident response.
Extended Detection and Response: XDR technology can be extremely useful in detecting activity associated with a RAT. This includes the ability to identify network connections to known malicious IPs, detection of lateral movement and data exfiltration across the network, and creation of unauthorized accounts with elevated access in identity systems.
Installing Updates Promptly: Some RATs are spread by exploiting software vulnerabilities. Using patch management solution and promptly installing updates closes these security gaps before they can be exploited by an attacker.
Secure Code Practices: Secure coding best practices attempt to find and fix software vulnerabilities during development. By eliminating these risks before they reach production, an organization eliminates the potential for them to be exploited to deliver a RAT.
An organization should implement defense in depth to protect against RATs and other malware. For example, it might use email scanning to identify and block phishing emails while also training users to identify and defend against these threats. If the RAT slips through these defenses, antimalware and IDS/IPS tools can detect the RAT or its communications, enabling the organization to remediate the infection.
In the event that an organization’s systems have been infected by a RAT, they can remove the malware via the following steps:
Identifying Infected Systems: RATs can be detected on a system via various means, including alerts from an antimalware system. Once it has been identified on one system, an organization can trace the attack vector and the it’s actions to identify other potentially infected systems. For example, some RATs may gain initial access to an environment via phishing but spread by infecting USB drives plugged into an infected computer.
Using Antimalware Tools: Antimalware tools are generally the best way to remove a RAT from an infected computer. With knowledge of how a RAT behaves on an infected system, they’re able to delete the files and configuration settings associated with the RAT. Trying to simply delete the malicious executable itself without these tools may be ineffective as many RATs have built-in persistence mechanisms to reinstall themselves after being deleted or a system reboot.
System Restoration Techniques: Ideally, an antimalware solution will be able to remove all traces of a RAT, restoring an infected system to a clean state. If this isn’t the case, it might be necessary to restore the system from a clean backup. If the RAT launched follow-on attacks (e.g. ransomware infection) it may be necessary to restore encrypted data from backups as well.
Continuous Monitoring and Follow-Up: Removing the RAT or performing a system restore should fix the issue, but it’s possible that a persistence mechanism may have been overlooked. For example, a USB drive may have been infected as well and reinfects the system when it is plugged back in. By continuing to monitor the system, the organization can verify that remediation was successful and the threat was eliminated.
Preventing Future Attacks: While removing a RAT fixes the current problem, it doesn’t address the risk of future attacks. Investigating the attack vector used by it enables security teams to deploy additional defenses to prevent the organization from being attacked in the same way in the future.
Remcos: Remcos is a RAT that spreads via phishing emails using infected Microsoft Office documents. Its capabilities include keylogging, screenshots, and audio recording.
AgentTesla: AgentTesla is a RAT focused on stealing information and keylogging. It can collect credentials stored on a user’s computer, including those associated with browsers and other common software.
AsyncRat: AsycRat is a modular RAT with the ability to download and run various plugins based on the attacker’s instructions. It targets Windows environments and is distributed via various methods, including fake browser updates.
Nanocore: NanoCore includes various capabilities, such as surveillance and cryptocurrency mining on infected devices. The malware was first discovered in the wild in 2013 and undergoes regular updates.
DarkGate RAT: DarkGate RAT uses various infection chains, such as malicious Microsoft Office documents and URL shortcut files. It has a wide range of potential capabilities, including credential theft, cryptocurrency mining, and loading other malware.
Remote access trojans exist in a legal and ethical gray area. The software itself and its capabilities aren’t necessarily malicious. In fact, system administrators commonly use tools that resemble RATs to perform remote configuration and management of systems under their care.
For example, tools like TeamViewer and the Remote Desktop Protocol (RDP) provide remote monitoring and management capabilities like a RAT. There are also applications used by legitimate businesses to monitor remote employees’ productivity that use keylogging and surveillance capabilities similar to those of RATs.
In the end, the legal and ethical aspects of RATs come down to how they are used. If a RAT is used for legitimate system or business administration with the consent of the system owner and users, then using RAT-like software is legal and ethical. If this is not the case, then the use case has questionable legality and ethics.
RATs pose a significant threat to the security and privacy of organizations and individuals alike. These malware are not only designed to allow attackers to collect and steal sensitive data but also to spy on users and perform other malicious actions.
Bitdefender’s Endpoint Security solutions offer robust RAT detection and remediation capabilities. ML-powered threat detection rapidly identifies known and novel RAT variants alike. GravityZone Network Attack Defense can detect and block lateral movement from one infected endpoint to another, a common tactic used by threat actors.
GravityZone XDR offers sensors to monitor activity across networks, systems, productivity applications, cloud workloads, and identity platforms that are associated with cybercriminal movement, including that associated with RATs.
GravityZone Security for Mobile provides advanced protection to iOS, Android, and Chromebook devices against cyber attacks including RATs.
RATs are designed to spy on their targets and enable an attacker to perform malicious activities on an infected device. If a program asks for unnecessary permissions — such as access to a camera or microphone — or a computer is behaving oddly, it may be infected by a RAT.
Yes, smartphones and other mobile devices can be infected by mobile RATs. These may masquerade as legitimate apps downloaded from an appstore or be installed by exploiting vulnerabilities in a mobile OS.
Malicious downloads are a common delivery vector for RATs, so checking a download before trusting it is always a good idea. If your antimalware doesn’t automatically scan the file, you can manually trigger a scan before opening or running a file.