The RAT is highly obfuscated in terms of: These include screen capture plugins, clipboard monitor plugins, keylogger plugins, and ransomware.Īs we mentioned, the CRAT makers have gone to lengths to hide the trojan’s actions. Over time, CRAT has acquired extensive capabilities through the use of a modular framework. Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.Īpart from the prebuilt RAT capabilities, the malware uses obfuscation and extensive evasion techniques to hide its malicious indicators and employs a highly modular plugin framework to selectively infect targeted endpoints. One example we’ve seen recently is a new take on another old RAT, CRAT.ĬRAT is a remote access trojan which consists of multiple RAT capabilities, additional plugins, and a variety of detection-evasion techniques. Trojans go to great lengths to hide their tracks and avoid detection.Īs antivirus, EDR/XDR, and sandbox capabilities proliferate, attackers are using more sophisticated forms of obfuscation and evasion techniques to protect the tools of their trade. The bottom line is that a great deal of time and investment goes into malicious tools like this and the owners will go to great lengths over time to keep the investment viable.Ģ. Even though such continuous upgrading helps malware avoid detection mechanisms, it also results in related malware versions.” “(M)alware families require a lot of maintenance and improvement to achieve long-term operability. A blog post published in September 2020 from Reversing Labs documents this and notes: We know that this RAT module has variants that trace back to 2011. Malicious actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. The loader first decrypts the encrypted main RAT module, and then executes its exported start function. The new version of the RAT consists of two parts: a loader in a DLL form, and a main RAT module that comes as RC4-encrypted binary data. This is one of the oldest trojans still circulating.
Our first example, Taidoor, is a RAT connected to Chinese government actors as assessed by the United States Federal Bureau of Investigation (FBI) with high confidence. Like any productive software, malicious actors are continuously updating trojans using C2 infrastructure Their highly distributed command-and-control (C2) infrastructure makes takedown much harder to implement.īut there are more tricks that make these the workhorses of unauthorized hackers.ġ.Their “Swiss Army knife” abilities allow them to deploy follow-up malware in a Loader-as-a-Service model that does further damage down the cyberattack chain.Some of the reasons why attackers reuse malware include: In that report, we cited Emotet and Ursnif/Gozi as examples of trojans that have evolved on to bigger and badder things. We observed this transformation of trojans in The modern cybersecurity landscape: Scaling for threats in motion, published in November 2020.
0 kommentar(er)
