Home Features Rise in RAT Campaigns Illustrates Growing Malware Threat

Rise in RAT Campaigns Illustrates Growing Malware Threat

With RAT malware growing increasingly sophisticated and more complex to detect, many organizations have found themselves with their backs against the wall.

Trojans, RAT, remote access trojan, Snip3 Crypter-as-a-Service

Ransomware has made more than its fair share of headlines in the past 18 months. It has become a top priority for C-Suites and government officials who’ve either already been crippled by large payouts and extended downtime or have watched from the sidelines as businesses and allies fall victim. However, what has been less talked about is the danger that Remote Access Trojans (RATs) pose to enterprises today — the malware program that allows cybercriminals to enjoy administrative control over a company’s network. While these threats have flown slightly under the radar until now, a wave of new RAT campaigns targeting the travel and tourism industries, as well as the financial sector, and its customers, has pushed them into the limelight.

By Michael Gorelik, CTO & Head of Threat Intelligence, Morphisec

In May, the FBI said that it had found threat actors to be impersonating Truist, the sixth-largest U.S. bank holding company. That spear-phishing campaign attempted to infect victims with RAT malware. The campaign used several phishing techniques commonly associated with RAT campaigns today to spoof the financial institution, such as registered domains, email subjects, and even a malicious Windows app that mimicked Truist’s legitimate Financial SecureBank app.

For background, in a unique and ongoing RAT delivery campaign that my cybersecurity firm Morphisec has been tracking since February, threat actors have also incorporated malicious scripts/executables alongside a legitimate application to disguise their intentions. And while we know these types of phishing techniques have soared in the past year, it’s cybercriminals’ deployment of RAT malware afterward that is perhaps causing enterprises the gravest concern in recent months.

Daily Advancements Make RATs a Top CISO Concern

Obviously, ransomware owns the headlines for a reason, with the average total cost of recovery more than doubling from roughly $761,000 in 2020 to $1.85 million in 2021, according to Sophos. But with RAT malware growing increasingly sophisticated and more complex to detect, many organizations have found themselves with their backs against the wall and counting on the efficiency of often outdated antivirus software that has proven easily bypassable.

The reality is advancements in the attack chain have made most next-gen security solutions futile. After all, the ability to gain administrative control over a target’s network is one of the main advantages of deploying RAT malware, and threat actors are usually able to disable whatever antivirus tool is installed quickly.

In fact, in the aforementioned RAT campaign discovered by Morphisec, attackers could disable Microsoft Defender by dropping a Batch script and an LNK file pointing to the script. This was after they used an AutoHotKey (AHK)based loader to distribute various RATs such as RevengeRAT, LimeRAT, and AsyncRAT.

Meanwhile, in May, another new, highly evasive RAT loader was discovered called Snip3. This RAT was able to bypass detection-centric solutions with relative ease through several advanced techniques, such as its ability to execute PowerShell “remotely signed” script and to evade sandboxes and emulators through advanced detection.

Indeed, it doesn’t seem like too long ago when the security industry would track malware and crypters over a long period with little change. Today, however, we see modifications daily. And not only to one part of the attack chain, but to the entire chain. This rapid change has significantly increased the challenges faced by the AV world…To read the full story, subscribe to CISO MAG.

This story first appeared in the August 2021 issue of CISO MAG.

About the Author

Michael GorelikMichael Gorelik is the CTO and Head of Threat Intelligence at Morphisec, the leader in cloud-delivered endpoint and server security solutions. Prior to Morphisec, Gorelik was the VP of R&D at MotionLogic GmbH, and before that served in senior leadership positions at Deutsche Telekom Labs. He holds B.Sc and M.Sc degrees from the Computer Science department at Ben-Gurion University, focusing on low-level synchronization in different OS architectures. Gorelik also jointly holds six patents in the IT space.


Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.