History of malware: Remote Access Trojans (RATs)

A RAT primer

From millions of dollars lost to reputational damage, malware affects lives, businesses, and the world around us. It’s difficult to study, moves fast, and is a constant concern for anyone living and working in the digital age. Remote access trojans make up a large portion of the malware market and are an especially notable fixture in our information economy.

The history of malware is important in understanding not only the inner workings of some of the most popular attacks, but in their effect on the information security industry as a whole. Having a better understanding of different types of malware can facilitate better detection, more useful preparatory exercises like tabletops, and ensure that training is more holistic. Malware history is a fundamental part of learning new skills in malware analysis, blue team exercises, network hardening, and user training.

What is a remote access trojan (RAT)?

The Remote Access Trojan (RAT) is a particularly good example of a tried-and-true malware type. RATs are pieces of software that allow an attacker to gain continuous access to a victim’s computer through varying types of persistence but can include additional features that increase their damage potential, such as screen capture software, camera and microphone recording integrations, or file transfer methods. They can be spread via phishing campaigns or hosted on ad servers or compromised websites. The “trojan” part of the name indicates the tendency of this type of malware to masquerade as something else, not unlike the Trojan Horse that led to the fall of Troy.

RATs can also be known as remote administration tools or remote access tools. Administrators typically use remote access/administration tools for legitimate purposes, like providing technical assistance to users. It’s only when those tools fall into the wrong hands and are used for unauthorized purposes that they become malware. For this reason, our review will include some tools that are made for malicious purposes and some that were originally designed to fix a problem.

RAT beginnings

The exact origins of the remote access trojan are very obscure. While most malware can be traced back to a single, novel event or attack, remote access trojans were used for legitimate, non-malicious purposes going back to the late 80s… until they weren’t. One of the first remote administration tools was Carbon Copy—its first traceable announcement was in a tiny advertisement in the February 10, 1986 edition of Computer World. It was described as a remote control software program that “allow(s) a local personal computer to control and monitor a remote personal computer over an asynchronous communications link”.

Though the remote administration tool was a useful piece of software developed with good intent, it was not always used for that purpose. NetSupport, which is still used for good and bad today, and Symantec’s pcAnywhere are other famous examples of popular remote administration tools that’ve been co-opted for adversarial reasons. In fact, Symantec notoriously told pcAnywhere users to cease operation of the software in 2012 until a bugfix could be issued due to exploitation fears arising from a 2006 breach of its source code and claims that hactivists had wrested control of pcAnywhere servers. 

Good ol’ RATs

Back Orifice

 In 1998, the infamous ‘Cult of the Dead Cow’ group released the Back Orifice trojan at DEF CON 6, one of the first widespread examples of a remote access trojan specially created for malicious purposes. Named after Microsoft’s Back Office Suite, this malware was meant to be a proof of concept and a direct response to security concerns with some of Microsoft’s software; representatives at the company were not concerned about its use at the first announcement of its release, citing a lack of new vulnerabilities created by the program. In spite of this, antivirus solutions were wary and added it to their definitions.

Even though it was well-known and protected against by most antivirus solutions, Back Orifice still gained popularity for small-scale use and general tomfoolery. It had a GUI (Graphical User Interface), contributing to its user-friendliness, and was relatively easy to use. No known mention of tracked large-scale campaigns survives to this day. Ironically, another piece of malware known as BoSniffer masqueraded as a Back Orifice removal tool, but was itself a Back Orifice server.

NokNok

Another example of a significant older RAT is NokNok, known for its unique obfuscation abilities.  Searching for the hashes of the binaries shows that this trojan was likely first compiled in 1992 and first submitted to VirusTotal in around 2007, though many antivirus solutions created rule entries for it around 2004. It was difficult to detect by design, hiding itself from the process list and installing under various filenames to dodge behavior detection. As with many older malware samples, this one may still be circulating to this day (the hash linked above was last analyzed in January of 2022).

DIRT

‘A late 90’s wavemaker of a RAT was Data Interception by Remote Transmission (DIRT). This was a very controversial piece of software produced by Codex Data Systems, famous for its use by its intended audience: ‘…military, government, and law enforcement agencies’. DIRT was concerning to the network security community even though Codex promised the utmost discretion in distribution, and tech enthusiasts found it to be a massive breach of privacy. Unsurprisingly, the software was eventually leaked along with its manuals, contracts, invoices, and other documents.’A late 90’s wavemaker of a RAT was Data Interception by Remote Transmission (DIRT). This was a very controversial piece of software produced by Codex Data Systems, famous for its use by its intended audience: ‘…military, government, and law enforcement agencies’. DIRT was concerning to the network security community even though Codex promised the utmost discretion in distribution, and tech enthusiasts found it to be a massive breach of privacy. Unsurprisingly, the software was eventually leaked along with its manuals, contracts, invoices, and other documents.

These are all great examples from the mid-late 80s to the early 2000s. But what do remote access trojans look like today?

Today’s RATs

Today’s RATs are far more financially motivated than their counterparts of years past. This tends to be the same for most malware—as the internet was less widespread, there simply wasn’t as much money being thrown around and not as many sensitive resources connected to the internet. In the modern age, everything from schools to churches to startup businesses have some form of online presence or digitized sensitive information that is ripe for the picking. This information may not have direct monetary value, but can be exfiltrated by adversaries for leverage in blackmail or ransom. The commoditization of the internet has led to ease of access for everyday people and for criminals.

As its effects are felt more by the general population, malware is also more easily documented. MITRE ATT&CK has an extensive record of popular modern malware strains, and remote access trojans are no exception. Even so, their popularity has increased the saturation of different malware families, making some smaller malicious programs harder to track.

Dridex

One great example of modern malware is Dridex, a banking trojan that came onto the scene in late 2014, having previously been named ‘Cridex’ and trialed in 2011. Dridex originally contained web injection and USB infection capabilities, then expanded to include geofiltering (figuring out the target’s country and continuing attack only if they are located in a specific country), Microsoft User Access Control evasion, and other useful features to an adversary. These updates were added quickly, changing the malware’s code drastically within only a few years. This has made it more difficult to defend against and learn from. Dridex has one of the most active botnets (collections of infected computers that can then be controlled from afar) as of 2021—and it featured prominently in the 2022 Threat Detection Report.  

Emotet

‘Many modern large-scale RATs package a lot of features into their malware in an attempt to cast as wide of a net as possible. Emotet is another famous variant, used more as a packaging solution and delivery method for other malware than as an all-in-one solution itself. This type of trojan is known to some as a ‘loader’, intended to download additional modules and features after initial infection. Emotet first arrived on the scene in 2014, originally making a name for itself as a credential theft tool before adapting its current toolset. Using Microsoft Word macros for initial compromise in some cases and links or PDFs in others, Emotet originally attacked Austrian and German banks before expanding out to other countries (including the US and UK). Emotet continues to be dangerous, primarily for its wide range of techniques and targeting of financial institutions.’Many modern large-scale RATs package a lot of features into their malware in an attempt to cast as wide of a net as possible. Emotet is another famous variant, used more as a packaging solution and delivery method for other malware than as an all-in-one solution itself. This type of trojan is known to some as a ‘loader’, intended to download additional modules and features after initial infection. Emotet first arrived on the scene in 2014, originally making a name for itself as a credential theft tool before adapting its current toolset. Using Microsoft Word macros for initial compromise in some cases and links or PDFs in others, Emotet originally attacked Austrian and German banks before expanding out to other countries (including the US and UK). Emotet continues to be dangerous, primarily for its wide range of techniques and targeting of financial institutions.

Trickbot

TrickBot exists in a similar vein to Emotet, having started small and reinventing itself to become more modular later on, it implements a veritable buffet of MITRE ATT&CK Techniques to hook as many victims as possible.

Agent Tesla

Recently, a piece of malware called Agent Tesla leveraged the chaos caused by COVID-19 to gain an enormous foothold. Agent Tesla is not technically a fully fledged RAT, as it does not aim to provide remote access continuously and deletes itself from the system after stealing information, but has a few interesting features that are related to RATs. Though it was around as early as 2014, Agent Tesla started gaining traction when it used phishing campaigns that featured personal protective equipment (like masks), using fear and panic to spread en masse. It uses several different compressed file extensions (like .zip and .img) as well as VBA macros on Word files. It may not have the featureset that RATs like Emotet have, but it does have a user-friendly interface, something that instantly increases the chance of its widespread adoption by lowering technical barriers of entry. It also uses detection evasion methods like secondary binary downloads.

When tools become trojans

More recent examples of Remote Access Tools turned Trojans include AsyncRAT and TVRat. AsyncRAT is an open source remote access tool written in C#, useful for those desiring an open source alternative to commercial remote access software and containing tools like password recovery, keylogging, server obfuscation, and more. However, as with NetSupport above, AsyncRAT has been used for malicious purposes, dropped by ‘Crypters’ (tools that deliver malware and are typically available for purchase online). 

TVRat is based off of TeamViewer, a popular remote access tool that is commonly used for commercial purposes. In the case of tech support scammers or drive-by installs, however, TeamViewer is either encapsulated in another piece of delivery software or is itself loaded onto a victim’s computer, becoming a powerful RAT colloquially known as TVRat. In one campaign, TVRat infiltrated the victim’s browser using a fake certificate loaded into a compromised Windows IIS server.

Cross-platform RATs

Finally, we need to have a mention of some cross-platform RATs. As you may have noticed, RATs seem to mostly target Windows and macOS systems, but infrequently touch on Linux. Netwire is an example of a RAT that works across a lot of different operating systems, having proficiency in Windows, macOS, and Linux. The amazing Tony Lambert wrote a piece on Netwire that is most definitely worth a read.

Learning from RATs

Why cover all this RAT history? Not only because it’s interesting to deep dive on the purposes and functions of malware from years past, but because of the industry changes they caused and may continue to cause in the future. DIRT was one of the first instances of deep-set military/government surveillance concerns and a great example of how difficult it can be to keep a privately owned software backdoor and make sure it’s used by only the target audience. This ties well with an ongoing debate regarding large tech company data access and privacy, spyware use on journalists, and past leaks from three-letter agencies.

NokNok was very stealthy for its time, so much so that most evidence of its widespread use is anecdotal and evidence was difficult to trace—in writing this article, we had to review dozens of hashes and old forum posts to piece together a basic timeline and idea of why there’s so little coverage of it. Back Orifice provided a great example of hacktivism and an excellent proof-of-concept for what trojans could do then… and what they can do now.

Conclusion

Modern malware is sophisticated and has a lot of moving parts. As most non-malicious software does, eventually those features get packaged up or made easier to use with other things (as with Emotet) so that malware authors don’t have to reinvent the wheel every time they want to create new malware. 

It tends to start with small tests, going dormant for a short time to work on features (as Emotet and TrickBot did), and then explode back onto the scene with robust features and surprisingly effective obfuscation methods. RATs are dangerous because they are widespread and take up a lot of the market. The reason for their popularity is simple: an attacker would prefer maintaining a persistent connection to a victim as an ongoing data source instead of performing a one-time theft with a few pieces of leaked data or credentials. Remote access trojan operators can also sell access to existing compromised networks.

As with RATs like Netwire, we’re seeing an increase in their use across platforms. There’s also a marked increase in the amount of remote access tools being used for malicious purposes, like with AsyncRAT and TVRat.

Remote access trojans of years past show us that the line of maliciousness can be blurred and confusing, but is generally defined by the intentions of the person or group using it. When DIRT first leaked to the public and tools like Carbon Copy and NetSupport started finding less-than-friendly uses, we realized how powerful confidentiality (as defined in the CIA triad) is. It takes only one misconfiguration, phishing email, or misclick for a useful tool to become a malicious timebomb.

Further RAT reading and detection

Want to try your hand at emulating a RAT? Atomic Red Team allows you to run a test on a vulnerable machine so you can see what a RAT would look like in a detection solution. Take a look at the NetSupport test here: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-8—netsupport—rat-execution

One thought on “History of malware: Remote Access Trojans (RATs)”
  1. temp mail says:
    11 June 2024 at 17:05

    Your writing is so inspiring and motivating I always leave your blog feeling more determined and resilient

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *