This week’s threat detection blog dives deeper into a common type of malware, remote access trojans (RATs), which allow adversaries to gain backdoor access into systems through seemingly normal network traffic. Let’s learn more about how RATs enter your system, what kinds of actions they perform, and how Stamus Security Platform (SSP) can help.
At Stamus Networks we often talk about threats and threat detection, but until recently we haven’t spent much time describing those treats in any detail. This series - Threats! What Threats? - seeks to fix that by covering a different threat each week and sharing how SSP helps security teams detect these threats on your network.
Remote Access Trojans (RATs) are a type of malware that is designed to allow an attacker to remotely control an infected system. Once a system is compromised and a RAT is running, the attacker can send instructions to the malware and receive data back in response. RATs are generally used as a method to gain an initial foothold within the system, and once communication is established additional instructions might install ransomware, keyloggers, or other malicious programs.
RATs are installed through common access methods like email phishing or malicious websites. A user might click on a url in an email or open an unfamiliar file that then deploys the RAT onto the system. Once deployed, the RAT will set up a command and control (C2) channel with the attacker’s server over which commands can be sent to the RAT, and data can be sent back. RATs commonly have a set of built-in commands and have methods for hiding their C2 traffic from detection. To learn more about C2 and how Stamus Security Platform detects these communications, read our earlier blog: “Threats! What Threats? Command & Control and Stamus Security Platform”.
RATs are especially dangerous to an organization because they provide a very high level of access and control over a compromised system. RATs are designed to function very similarly to legitimate remote system administration tools, which means the attacker can see and do virtually anything they want on the infected machine. Unlike remote system administration tools however, RATs are capable of exploiting vulnerabilities in a system and gaining additional privileges to further access sensitive data or make changes to a system.
Due to this high level of access and control, RATs are an incredibly useful and effective tool used by attackers, allowing them to achieve objectives, download and deploy additional malicious programs, and access data efficiently. Thankfully, Stamus Security Platform (SSP) includes RATs within its threat coverage and can help security teams identify the presence of RATs using insights gathered from their organization’s network.
At the time of this writing, SSP can detect 98 different known RATs using 2,795 different detection methods. Detection coverage is updated daily so, the RAT detection coverage is frequently expanding .
Unlike Network Detection and Response (NDR) systems based exclusively on machine learning or other anomaly detection algorithms, SSP also includes the traditional IDS events along with protocol transactions, flow records and extracted files (NSM-style logs) which may be used for threat hunting and incident investigation. Unlike other security systems, such as end-point detection, SSP is better equipped to detect RATs because of its focus on the network. And because it passively monitors network traffic, SSP is not subject to bypass or direct attacks like an endpoint system might be.
The screenshot below illustrates just a handful of the SSP coverage for 98 known RATs
Let’s take a look at a few of the main methods Stamus Security Platform uses to detect Remote Access Trojans:
Declarations of Compromise™
When SSP detects a serious and imminent threat, it issues a Declaration of Compromise™ (DoC). SSP includes nearly 100 DoCs focused on detecting RATs. These are high-confidence, definitive alerts indicating the threat has impacted an asset in your network. Each DoC event log includes all related threat activity such as when it was first seen, last seen, the current cyber kill chain phase in which the threat is acting, and so on. When one of these DoC events triggers, the user can review an abundance of contextual evidence surrounding the alert event and impacted asset(s) including a full incident timeline of activities.
RATs commonly establish communication with a command and control (C2) server, allowing the attacker to remotely control it’s operation. As such, SSP will map the RATs C2 activity to the command and control phase of the cyber kill chain. This gives users a clear timeline view of C2 communication activities for the RATs e. As with any DoC, when SSP detects RAT activity, it may trigger an automated response using a webhook integration into the platform of their choice - SOAR, SIEM, chat notification, or incident response ticket.
C2 Beacon Detection
Using machine learning algorithms, SSP can identify suspected C2 beacons, even in complex TLS communications. The system generates a score that helps security teams assess the likelihood that a communication is a malware beacon based on various behavioral factors. Beaconing is a common method of communication between a RAT and its C2 server, so one way to locate a RAT on a system is to first identify the presence of malware beaconing communications and then trace those communications to the source.
Suspicious Host Activity via Sightings
Security analysts can use the “Sightings” feature to uncover anomalous behavior and suspicious host activity on the organization’s network. SSP’s anomaly detection algorithm identifies the occurrence of never-before-seen artifacts from critical infrastructure.
Sightings include connections based on discovered Host roles - domain controllers, DHCP servers, proxies, printers, etc. This gives the user a quick view of potentially suspicious activity like new, unfamiliar outbound connections, such as those often present during a RAT’s communication with a C2 server.
Guided Threat Hunting
Although SSP includes numerous automated detection methods, many organizations task their security teams to take a more proactive approach. Stamus Security Platform includes an enriched hunting interface, which has over 100 ready-to-use guided threat hunting filters. With several filters focused on RATs, C2 communications, and malware beaconing, an analyst can quickly and easily sort through millions of alert events to narrow down suspicious and anomalous activity and behavior on their network to identify possible threats.
For more information on the enriched hunting interface, check out our series on guided threat hunting with Stamus Security Platform.
Hopefully, you have learned more about RATs, how attackers use RATs to infect systems, and how our network detection and response platform can help detect their presence using your organization’s network. With the prevalence of Remote Access Trojans, it is important that you are in the position to identify them before it is too late.
If you would like to see a live demonstration of how Stamus Security Platform detects RATs or want to discuss how else it could help you detect and respond to other threats on your network, please click on the button below to request a demo.