[MART] - Daily Diary #345 - Malware Types - Remote Access Trojans

CTAS-MAT ctas-mat at appgate.com
Fri Sep 10 20:04:50 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

09/10/2021 - Diary entry #345

Continuing our thread on malware types, started in our Daily Diary #328. Today we are going to talk about Remote Access Trojans. A Remote Access Trojan, or RAT, is a malware with capabilities to provide remote control of an infected device to an attacker. After the initial infection, the malware stays hidden in the system streaming the device screen, keyboard strokes and mouse movements, like a Spyware. Upon receiving a command, the malware starts to replicate in the infected device the actions of the attacker, moving the mouse and simulating keyboard inputs like a common user. RATs can achieve that either by implementing a custom protocol, like Allakore, or by abusing trusted protocols or applications, like VNC, RDP and TeamViewer.

RATs are very common pieces of malware, as they allow a variety of malicious actions, like steal private data and credentials, impersonate the logged user, and even banking fraud. The last case is very common in Brazilian banking malware: as most banks implements different types of MFA, stealing the credentials is not enough to perform a malicious transaction, so this kind of malware stays hidden in the machine waiting for the user to log into the bank platform and take control over the machine just to transfer money to a controlled account.

In our Daily Diary #335 and #333 we covered Botnets and Backdoors. It's common for them to implement a Remote Access module, so they can double as a RAT. A great example for that is Dridex (covered in our Daily Diaries #116, #114 and our Blog Post "Reverse Engineering Dridex") that can receive a VNC module to control the user device.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210910/d1162e4e/attachment.htm>

More information about the MART mailing list