Remote Access Trojans (RAT): Sophisticated and difficult-to-detect malware

Remote Access Trojans are a threat to businesses, citizens, and organizations in critical sectors such as healthcare

VenomRAT, MysterySnail RAT, NodeSnake RAT, ResolverRAT, StilachiRAT… The list of recently detected Remote Access Trojans (RAT) is extensive.

Although banking trojans have captured the media’s and public’s attention because they allow criminals to take control of their victims’ bank accounts and make fraudulent payments, remote access trojans are not only used for this purpose.

In fact, there has been a recent proliferation of remote access trojans targeting the healthcare and pharmaceutical sectors, aiming to access patients’ medical information or steal valuable intellectual and industrial property.

While profits from ransomware attacks are declining as companies fortify themselves against this type of malware and fewer companies are willing to pay ransoms, the use of infostealers or remote access trojans is on the rise.

Why? They allow malicious actors to remain undetected for long periods within the organizations they attack, enabling them to obtain a wealth of extremely valuable information: financial data, strategic documents, customer data, trade secrets, etc.

1. How remote access trojans work and why they are so dangerous

Let’s start at the beginning. What are remote access trojans or RATs? They are a type of malware that hides in seemingly legitimate software, mobile applications, or executable files that victims download to their devices without realizing that they are opening the door to a malicious program.

Similarly, in recent months, the ClickFix technique has been used to get victims to copy and execute malicious code. This is how AsyncRAT, for example, was distributed.

On the other hand, we must bear in mind that, as with different types of malware, remote access trojans can also reach victims’ devices by exploiting 0-day or unpatched vulnerabilities.

Once on the victims’ computers, remote access trojans can, as their name suggests, facilitate remote access by malicious actors to infected devices.

This allows attackers to carry out spying activities: taking screenshots or monitoring in real time, collecting credentials stored in browsers, launching applications, obtaining additional permissions, accessing conversations in applications such as WhatsApp, and even downloading other malicious applications.

The most sophisticated remote access trojans are particularly dangerous because they are not only capable of connecting to the command-and-control servers of malicious actors but also designed to evade detection mechanisms and enable them to persist on infected devices.

How? For example, by facilitating the deletion of logs, opening the door to manipulation of the device’s operating system, or connecting to the command and control server at random intervals without using a pattern detectable by automated solutions.

2. Banking information, a dark object of desire for actors using remote access trojans

The use of banking trojans has not ceased in recent years. Why? Financial institutions are continually improving their security mechanisms.

It should come as no surprise that banks are the most fortified organizations in cybersecurity, leading innovation in the sector and are required to comply with an increasingly demanding regulatory framework focused on their cyber resilience against attacks.

That is why malicious actors have turned their attention to the customers of financial institutions: businesses and citizens.

In this regard, banking trojans allow attackers to infect personal and corporate mobile devices, thereby intercepting online account credentials or even taking control of devices and carrying out fraudulent transactions.

For example, a few weeks ago, the use of Klopatra, a Trojan capable of superimposing fake home screens on financial applications and cryptocurrency wallets to steal access credentials and send them to a command-and-control server, was made public. But Klopatra can also dim the screen to make the phone appear inactive, launch a banking application, and make fraudulent payments without the victim noticing.

This case shows how malicious actors with extensive knowledge and resources can design remote access trojans that are increasingly technically complex, designed to go unnoticed and persist until the malicious actors achieve their objectives.

Along the same lines, we can point to another recent example: Sturnus. This RAT allows attackers to access their victims’ communications in applications such as WhatsApp or Telegram, make bank transfers from the applications, carry out multi-factor authentication, and confirm payment validation requests. All the while, a fake screen appears on the infected mobile phone, informing the user that an Android system update is being carried out.

3. Many remote access trojans have cryptocurrencies in their sights

Klopatra also highlights that remote access trojans targeting the financial sector are not only designed to steal money but also to steal cryptocurrencies.

We are all aware of the boom in cryptocurrencies over the last decade. Today, millions of people invest in these digital assets and have the wallet and exchange applications they use installed on their mobile devices.

Cybercriminals are aware of this, and gaining access to cryptocurrency wallets to drain them is an increasingly common goal for criminal groups that develop remote-access trojans.

A good example of this is one of the most notorious trojans of the last year, StilachiRAT. In this case, we are not dealing with malware for mobile devices, but for computers.

This malicious program can scan the configuration data of 20 Google Chrome wallet extensions on Windows computers, and extract and decrypt credentials stored in the browser or the clipboard. All this is done with maximum stealth, using anti-forensic tactics, deleting logs, and implementing sandbox-escaping behaviors so the security system does not detect the malware.

These examples show that remote access trojans (RATs) are indeed becoming increasingly dangerous because their ability to provide information to malicious actors and to allow them to take control of devices is growing. In addition, the criminal groups that develop them are focusing their efforts on ensuring the malware remains undetected and on subverting security mechanisms to guarantee its persistence.

4. The healthcare sector, a new target for groups using remote access trojans

Are remote access trojans only used in the financial sector? Of course not.

In fact, cybersecurity researchers have detected that criminal groups are using highly sophisticated remote access trojans against healthcare organizations and pharmaceutical companies. A good example of this is the ResolverRAT malware.

This Trojan can exfiltrate data from infected computers and even fragment large files to blend malicious traffic with normal traffic.

This allows it to access critical information, such as patients’ medical records and test results. It is also important to note that both healthcare centers and, above all, pharmaceutical companies store critical documentation on patents, which are worth millions.

5. Companies and individuals of interest are also targets of remote access trojans

As we noted earlier, ransomware attacks are on the decline, leading some ransomware-specializing criminal groups to modify their attack strategies.

For example, Interlock, one of the most notorious ransomware groups in recent years, has shifted its strategy to use remote access trojans against companies in multiple sectors. The goal? To launch long-term espionage campaigns.

The NodeSnake RAT Trojan used by Interlock can encrypt communications with the command-and-control server, record victims’ keystrokes, collect corporate software access credentials, and evade automated detection tools used by companies.

Interlock also uses NodeSnake RAT in combination with ransomware. This means that after deploying ransomware, the criminal group can re-establish access to the attacked company through inactive RAT implants. This allows it to continue accessing its systems and networks.

On the other hand, and as a consequence of their very nature, remote access trojans are ideal malware for spying on people of interest such as political leaders, businesspeople, or executives. An example of this is MysterySnail RAT, a Trojan used since 2021 that, this year, was leveraged by a Chinese advanced persistent threat (APT) group in a new version to infiltrate the Russian government.

6. How companies can fight remote access trojans

There is no magic formula for preventing or detecting remote access trojan infections as early as possible. However, some cybersecurity services are critical when it comes to developing a strategy to combat them:

• Social engineering testing. The origin of most remote-access Trojan attacks lies in social engineering. Therefore, companies must train their professionals and assess their ability to handle the latest social engineering techniques through simulated attacks.
• Vulnerability management. The criminal groups behind remote access trojans also exploit vulnerabilities in corporate systems to infect them, move laterally, and persist. Vulnerability management is a critical aspect of any cybersecurity strategy.
• Continuous security audits. Many remote access trojans can evade automated analysis tools. However, security audits combine the use of these solutions with analysis by cybersecurity experts who can detect malicious activity in corporate systems using data from automated tools.
• Threat Hunting. Behind many remote access trojans are APT groups that are constantly evolving their techniques, tactics, and procedures. That is why Threat Hunting services are critical in this area. They specialize in detecting complex threats early and investigating them proactively. Threat Hunters work with compromise hypotheses to anticipate attackers and respond to a malicious operation before it generates a security event.
• Red Team services. The knowledge generated by the Threat Hunting team can be used to design 100% realistic Red Team scenarios focused on the use of remote access trojans. In this way, a company can assess its ability to withstand an attack of this type, train the professionals responsible for its defense, and optimize its prevention, detection, and response mechanisms based on the Red Team’s recommendations.

In short, remote access trojans (RATs) are a major threat not only in the financial sector but also in healthcare, large companies, and critical sectors, as well as for people who hold high-level public office or management positions in companies.

Given that remote access trojans are becoming increasingly difficult to detect and that malicious actors are constantly developing more advanced malware, companies must invest in cybersecurity and adapt their strategies to protect themselves against the most innovative techniques, tactics, and procedures.