RAT (Remote Access Trojan) Software Attacks Defined
A remote-access Trojan (or RAT) is software that allows a hacker to gain unauthorized access to a device.
With RAT, the hacker can do almost anything with the device. They could monitor your actions on that device or use your device to commit a crime or steal important information.
What Is a Remote-Access Trojan?
A RAT is a piece of software that gives a stranger the ability to watch anything you do on a device. That stranger can also do anything on your device you're able to do.
In essence, a RAT duplicates all of your data and permissions and hands them to someone else. And the capability to inflict harm comes in the form of a backdoor that remains open as long as the hacker wants it to.
Backdoors like this are notoriously hard to detect. For example, one installed in December 2018 wasn't discovered until April 2021.
As long as the door stays open, the risk remains. And the hacker can do and see almost anything, even if you don't want those activities to continue.
Hackers developed the earliest RAT malware applications in the late 1990s, and they were remarkably effective. For example, one version called SubSeven (or Sub7) stayed in touch with a central server after hackers deployed it, and as it updated, it became stronger and harder to remove.
How do you get infected with RAT software?
No one intends to hand control to a hacker. Unfortunately, it's very easy to get infected with RAT malware.
You might encounter the software through:
- Games. More than 150 million Americans play video games, and we often like to play with others in online environments. Each tap or click you make in a game like this could install malware.
- Email. RAT developers send official-looking notes with attachments called "Company Terms" or "DOT_JD_GM." Before you can open them, you must provide your company username and password. Doing so triggers malware installation.
- Websites. A safe-seeming URL you visit could be riddled with links that contain RAT capabilities.
- Social engineering. A hacker might pose as your company IT person and walk you through handing over access. In your conversation, you enable the imposter to take over your device.
In all of these instances, you do something that seems commonplace and normal. You tap, click, or talk. But those simple steps can have devastating consequences.
Why do hackers use RAT malware?
Every hacker is different, and they all enter the work with different goals and objectives. But in general, people use a tool like this for a few specific purposes.
A hacker uses RAT software to:
- Listen. The stranger monitors your keystrokes, including those involving usernames and passwords. The hacker might also turn on your camera and record video or take screenshots.
- Take over. A hacker could use your machine to shut down production, order new equipment, or otherwise do something you'd rather avoid.
- Steal. With your access, a stranger could dig into sensitive data. For example, the American government suggested in 2020 that China was trying to steal coronavirus research via backdoors.
- Tamper. A hacker could try to disrupt a process, either for profit or for another purpose. For example, hackers used backdoors in Louisiana during the 2020 elections for a purpose yet unknown.
- Grow. A hacker could spread the malware to other computers, creating a botnet that they could deploy in future attacks.
With RAT software, an intruder can do almost anything to or with a device. It's nearly impossible to list all of the things someone could do.
Can you defeat a RAT software attack?
Protecting your assets is critical, and your work should progress on two fronts.
Let's begin with cleanup. If you are infected with RAT software:
- Notify. Tell your network administrator about the problem. Other devices within your organization may also need help.
- Clean. Update any software programs you have on your device, and run several virus scans.
- Assess. If you're unable to scrub the infection from your device, reinstall your operating system.
- Monitor. Watch your company's assets very carefully to ensure you're protected from the fallout. And look over your credit card statements too.
If you aren't sure that you're infected but you know the risk is real, you can:
- Update. Make sure you're running current versions of all software and that your operating system is up-to-date.
- Check. Don't open email attachments or give out sensitive data without talking to your IT team first.
- Monitor. Run virus scanners regularly.
Some RAT software developers use an approach they call "advanced persistent threats." These attacks unfold very slowly, and they can be remarkably dangerous. We've written up a description of this technique on our blog, and we encourage you to check it out.
References
New Lazarus Backdoor Discovered. Bogus Clubhouse Ads Served Ransomware. Cryptojacking Goes to School. Strategic Competition. (April 2021). The Cyberwire.
What Is SubSeven? (2000 to 2002). SANS Institute.
More Than 150 Million Americans Play Video Games. (April 2015). Entertainment Software Association.
ObliqueRAT Linked to Threat Group Launching Attacks Against Government Targets. (February 2020). ZD Net.
Social Engineering Explained: How Criminals Exploit Human Behavior. (September 2019). CSO.
Mikroceen RAT Backdoors Asian Government Networks in New Attack Wave. (May 2020). ZD Net.
Exclusive: National Guard Called In to Thwart Cyberattack in Louisiana Weeks Before Election. (October 2020). Reuters.