Once a hacker has gained initial access to the target machine, extending and strengthening that leg is the next logical step. In the case of a phishing attack, it involves using malware to take advantage of the access provided by email. || Top five remote access trojans
Meanwhile a common way to extend Beachhead to the target machine is through a Remote Access Trojan (RAT). This type of malware is designed to allow a hacker to remotely control a target machine, providing the same level of access as a remote system administrator. In fact, some RATs derive from or are based on legitimate remote administration toolkits.
The primary evaluation criterion for a given RAT is how well they allow a hacker to accomplish their goals on the target computer. Different RATs are specialized for certain purposes, but many of the top RATs are designed to provide a great deal of functionality on a variety of different systems.
The top RATs
Many different remote access Trojans exist, and some hackers will modify existing ones or develop their own to better suit their preferences. Different RATs are also designed for different purposes, with RATs specifically designed for each possible target (desktop vs mobile, windows vs apple and so on).
Comparing different RATs across the board is like comparing apples to oranges. However, some RATs stand out from the rest in their particular areas of expertise.
1. The hacker’s choice: FlawedAmmyy
When trying to identify which malware version is most effective, it is useful to see what hackers are actively using. When it comes to RAT, FlawedAmmyy stands out as a clear modern favorite among hackers.
FlawedAmmyy is a RAT that was developed from the leaked source code of Ammyy Admin remote administration software. It has been used in a variety of malware campaigns, but made history in October 2018 when it made Checkpoint’s list of the top 10 malware threats of the month. This was the first time a RAT had made the list and was a result of the growth of malware campaigns pushing the RAT. However, RAT continues to appear in incidents being used by various hacking groups.
Since it was derived from a legitimate remote administration tool, FlavedEmmy has a variety of built-in features. It gives a user the ability to access the file system, capture screenshots, and seize control of the microphone and camera.
2. Free and open-source: Quasar
For those who want a free and open source RAT (to avoid potential backdoors), the Quasar RAT is widely recommended. Quasar is written in C# and is available on GitHub. It was first committed in July 2014 and has received active updates since then.
Quasar is billed as a lightweight remote administration tool that runs on Windows. However, it does have a wide variety of functionalities designed for “staff monitoring” (i.e. also useful for hackers). This includes keylogging, the ability to open remote shells, and download executable files. Its number of features and high stability (due to frequent updates) make it a popular choice.
3. Mobile access (iOS): PhoneSpector
In the mobile market, RATs are advertised as solutions to help parents monitor their child’s cellular use or for employers to monitor how their employees are using company-owned devices. There are iOS monitoring applications available that do not require jailbreaking of the target device.
One of these is PhoneSpector, which bills itself as being designed to help parents and employers but acts like malware. The software can be installed by getting the device owner to click on a link and enter a product key on their device. It then monitors the device while remaining undetectable to the user.
PhoneSpector offers the hacker the ability to monitor a wide variety of activities on the device. This includes monitoring phone calls and SMS messages (even those that were deleted) as well as app activity. PhoneSpector even provides a customer service helpline in case a hacker gets in a bind.
4. Mobile access (Android): AndroRAT
Android’s market share and security model mean that more malware has been developed for it. The same is true for Android RATs. However, one of the most famous Android RATs in existence is AndroRAT.
AndroRAT was originally developed as a research project demonstrating the ability to remotely control Android devices, but it has since been adopted by criminals. The original source code to the RAT is available on GitHub and provides a wide variety of features.
Despite the age of the source code (last update in 2014), AndroRAT continues to be used by hackers. It includes the ability to inject its malicious code into legitimate applications, making it easy for a hacker to release a new malicious app carrying the RAT. Its functionality includes all of the normal features of a mobile RAT including camera/microphone access, call monitoring and location tracking via GPS.
5. RAT for ICS: Havex
Malware targeting industrial control systems (ICS) is nothing new, with big names like Stuxnet and Industroyer designed to cause physical damage. However, some ICS-focused malware is targeted at controlling critical infrastructure.
Havex is a general-purpose RAT, but also has components specific to ICS systems. This includes scanning modules focused on ports used by Siemens and Rockwell Automation. The malware was also used in watering hole attacks focused on ICS, demonstrating that it is specifically engineered to target this sector.
Conclusion: maintaining access
Remote Access Trojans fulfill an important function for hackers. Most attack vectors, like phishing, are ideal for delivering a payload to a machine but don’t provide the hacker with the ability to explore and interact with the target environment. RATs are designed to create a foothold on the target machine that provides the hacker with the necessary level of control over their target machine.
The five RATs described here all stand out for their ability to operate in a certain environment. A RAT specialized to the target environment is more likely to be able to accomplish its intended task without detection, making it far more valuable as a covert surveillance tool. || Top five remote access trojans