|Oct / 01 / 2015|
|Zoltan Balazs, @zh4ck|
RATs (Remote Admin Tools a.k.a Remote Access Trojans) are mainly used by two groups. Script kiddies and nation state attackers. Script kitties love RATs because of the easy to use GUI, no hacking knowledge is needed. They can spy on the victims webcam, pop-up new websites, or just steal Paypal passwords. Nation state attackers like RATs because it is easier to blend in, and attribution becomes harder (in theory, not in reality). And they get all the functionality they want, upload and download files, remote code execution, etc.
I have checked the following “public” RAT’s. Public RAT means everyone can download it or buy it easily:
And the following “private” RATs, which means nation state attackers use it mostly:
There are of course a lot of RAT’s which have been developed by APT groups which are not listed here.
The following public RAT’s (the official, public versions) support proxies:
The following “private” RAT’s support proxies:
Let’s assume that script kiddies don’t target governments and big corporations usually, and when these are attacked, it is done by another government with high probability. Now check the news for the headlines with RATs without proxy support:
2014 January: Xtreme RAT, Victim: Israeli Defense Ministry, http://www.tripwire.com/state-of-security/latest-security-news/israeli-defense-systems-hacked-xtreme-rat-trojan/
2012 November, Xtreme RAT, Victims: governments of the Israel, US, UK, Turkey, Slovenia, Macedonia, New Zealand, and Latvia http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/
2014 June, Xtreme RAT, Victims: Palestinian and Israeli surveillance targets, Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the U.S., and the UK, The Office of the Quartet Representative, The British Broadcasting Corporation (BBC), A major U.S. financial institution, Multiple European government organizations http://securityaffairs.co/wordpress/25533/cyber-crime/fireeye-molerats-attacks-xtreme-rat.html
2013 July, multiple RAT, Victims: Truecaller, Tango, Viber https://www.fireeye.com/blog/threat-research/2013/07/syrian-electronic-army-hacks-major-communications-websites.html
2014 March, NJRat, http://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene
The fact that these organizations were targeted does not mean they did not have proxy and firewall properly set. It does not mean the attack was successful. But the fact that attackers are using it for a while means they are successful enough. Also I might be wrong according some samples’ proxy support, or I just tested an old version. If you spot any mistakes, let us know!
Which means that if a company follows basic security rules, most RATs does not have a chance:
Actually, the first four can be implemented with free, open-source tools (e.g. Squid, iptables), and by implementing these, it is pretty much efficient against most RATs.
If you have any particular APT related RAT, and you have the possibility to test it’s proxy support, let us know the results!