Remote access trojans (RATs) are malware designed to allow an attacker to remotely control an infected computer. Once the RAT is running on a compromised system, the attacker can send commands to it and receive data back in response.
RATS can infect computers like any other type of malware. They might be attached to an email, be hosted on a malicious website, or exploit a vulnerability in an unpatched machine.
A RAT is designed to allow an attacker to remotely control a computer similar to how the Remote Desktop Protocol (RDP) and TeamViewer can be used for remote access or system administration. The RAT will set up a command and control (C2) channel with the attacker’s server over which commands can be sent to the RAT, and data can be sent back. RATs commonly have a set of built-in commands and have methods for hiding their C2 traffic from detection.
RATs may be bundled with additional functionality or designed in a modular fashion to provide additional capabilities as needed. For example, an attacker may gain a foothold using a RAT and, after exploring the infected system using the RAT, may decide that they want to install a keylogger on the infected machine. The RAT may have this functionality built-in, may be designed to download and add a keylogger module as needed, or may download and launch an independent keylogger.
Different attacks require different levels of access to a target system, and the amount of access that an attacker gains determines what they can accomplish during a cyberattack. For example, exploitation of an SQL injection vulnerability may only permit them to steal data from the vulnerable database, while a successful phishing attack may result in compromised credentials or installation of malware on a compromised system.
A RAT is dangerous because it provides an attacker with a very high level of access and control over a compromised system. Most RATs are designed to provide the same level of functionality as legitimate remote system administration tools, meaning that an attacker can see and do whatever they want on an infected machine. RATs also lack the same limitations of system administration tools and may include the ability to exploit vulnerabilities and gain additional privileges on an infected system to help achieve the attacker’s goals.
Due to the fact that an attacker has a high level of control over the infected computer and its activities, this allows them to achieve almost any objective on the infected system and to download and deploy additional functionality as needed to achieve their goals.
RATs are designed to hide themselves on infected machines, providing secret access to an attacker. They often accomplish this by piggybacking malicious functionality on a seemingly legitimate application. For example, a pirated video game or business application may be available for free because it has been modified to include malware.
The stealthiness of RATs can make them difficult to protect against. Some methods to detect and minimize the impact of RATs include:
Protecting against RAT infections requires solutions that can identify and block malware before it gains access to an organization’s systems. Check Point Harmony Endpoint provides comprehensive protection against RATs by preventing common infection vectors, monitoring applications for suspicious behavior, and analyzing network traffic for signs of C2 communications. To learn more about Harmony Endpoint and the complete suite of Harmony solutions, request a free demo today.