From pranks to APTs: How remote access Trojans became a major security threat

What is a RAT?

In the late 1990s, when the internet was still young, it was common for tech-savvy kids to scare their friends by controlling their PCs remotely. They would eject the CD tray, swap the mouse buttons, or change the desktop colors. To the unwitting user, it looked like a ghost was taking over the machine.

Those were the years that marked the birth of remote access Trojans (RATs), malicious software that allows an attacker to gain unauthorized access to a victim’s computer over the internet. RATs are typically installed without user consent and remain hidden to avoid detection.

These things set them apart from a benign type of software with a somewhat similar name, Remote Access/Administration Tool. This category includes computer programs such as TeamViewer or LogMeIn that are legitimately used by system administrators, as well as teenagers trying to fix their grandparents’ PCs.

It’s the malicious remote access software that interests security researchers Veronica Valeros and Sebastian García at the Czech Technical University in Prague. The two have spent the last few years trying to analyze the evolution of this type of malware, studying no less than 337 well-known families, looking at things such as functionalities, quality of the software, and purpose.

Valeros said during a Virus Bulletin 2020 presentation that the number of RAT families grew rapidly in recent years. She counted more than 250 RATs that surfaced in the 2010s as opposed to just 70 in the 2000s. “The number of RATs really, really took off,” Valeros said. “While most of the previous ones were focusing on Windows, we saw some diversity—other platforms like Mac, Linux, and Android were being supported.”

While ransomware families come and go, RATs are known for their longevity and reemergence, says another researcher, Lindsay Kaye, the director of operational outcomes for Insikt Group at Recorded Future. “Some of the RATs have been out for ten years now, and they’re still getting used,” she says. “They kind of go down a little bit, and then they come back.”

RATs have become essential for any type of cybercriminal activity, being used by cybercriminals, nation-state hackers, as well as stalkers. The market has matured. RATs have come a long way since NokNok knocked on Windows computers and launched this new chapter in computer security history.

RATs created for fun

The oldest legitimate remote access software was built in the late 1980s, when tools such as NetSupport appeared. Soon after that, in 1996, their first malicious counterparts were created. NokNok and D.I.R.T. were among the first, followed by NetBus, Back Orifice and SubSeven.

These tools were built for amusement or just to show that it can be done. Yet, they were “innovative and disruptive,” Valeros says. NetBus, for instance, was created by Carl-Fredrik Neikter in 1998, and its name, translated from Swedish, means “NetPrank.”

The developer claimed he didn’t want NetBus to be used maliciously, saying it was “a legit remote admin tool,” security researcher Seth Kulakow wrote in a paper he published with the SANS Institute. “However, if you didn’t already figure it out, it is still a very nice tool to use for the other purpose,” Kulakow wrote.

Which is exactly what happened. In 1999, someone downloaded NetBus and targeted Magnus Eriksson, a law professor at Lund University in Sweden. The attacker planted 12,000 pornographic images on his computer, 3,500 of which featured child pornography. The system administrators discovered them, and the law professor lost his job.

“For me it was unbelievable,” Eriksson told Swedish publication Expressen. The media scandal that followed forced him to leave the country, and although he was acquitted in 2004, the damage was considerable. “I can never get back the lost years,” Eriksson said.

NetBus inspired others, including the infamous Sub7 or SubSeven. As a matter of fact, it is believed that Sub7 is NetBus spelled backward, with the “ten” replaced by “seven.” SubSeven, allegedly built by mobman, took the game to a whole new level. It reached global popularity, and its features clearly set it apart from the legitimate remote access tool. SubSeven could be used, for instance, to steal passwords and hide its identity, things a reasonable system administrator shouldn’t do.

“Once SubSeven is installed, hackers can initiate attacks that range from mildly irritating to extremely detrimental,” wrote security researcher Jamie Crapanzano in his paper Deconstructing SubSeven, the Trojan Horse of Choice. “[T]he more notable capabilities provided by SubSeven are the ability to restart Windows on the victim’s computer, reverse mouse buttons, record sound files from the microphone attached to the compromised machine, record images from an attached video camera, change desktop colors, open/close the CD-ROM drive, record screen shots of the victim’s computer and turn the victim’s monitor off/on,” Crapanzano wrote.

Yet, it wasn’t all about having fun. Around that time, other hackers claimed they built RATs to make a statement. The Cult of the Dead Cow created Back Orifice, a name that takes inspiration from Microsoft’s BackOffice Server software.

Back Orifice was mostly the work of Josh Buchbinder, a hacker better known as “Sir Dystic,” a handle based on a comic book character from the 1930s. This character tries to do evil things “but always bungles it and ends up doing good inadvertently,” Buchbinder said in the movie Disinformation.

The Cult of the Dead Cow members launched Back Orifice at DEF CON 6 in Las Vegas in August 1998, and said it was meant to raise awareness of security flaws found in Microsoft software. “Our position is that Windows is a fundamentally broken product,” said Death Veggie, the Cult’s minister of propaganda.

At the end of the 1990s, there were at least 16 RATs, security researcher Valeros says. During the next decade, however, malware authors focused less on the fun factor and more on making money.

RATs for profit and espionage

In the 2000s, RAT authors were not naive kids who wanted to see how far they could go. Most of them were familiar with tools such as NetBus, SubSeven or Back Orifice, and they knew exactly what they were doing.

Take Beast, a RAT first seen in 2002. It kept some of the early Trojans features—it has “Fun Stuff” and “Lamer Stuff”—but was capable of doing more complex things, Valeros says. It used a client/server architecture, just like Back Orifice, but it was among the first to include a reverse connection to its victims. The client connects to the attacked computer at port number 6666 (close enough to the number of the beast), while the server opens connections back to the client using port number 9999. Beast was also capable of bypassing a firewall and killing antivirus processes, and it came with a file binder that could join several files together into one executable.

The more features RATs got, the more appealing they became. Soon, they started to be used as part of more complex attacks by cybercriminals and state-sponsored attackers alike. There was a clear distinction between authors and operators, Valeros says.

Gh0st was among the most prolific remote access trojans of its time. It was developed by a Chinese group that went by the name C. Rufus Security Team. The first version surfaced in 2001, according to Valeros, but it only gained popularity a few years after.

Gh0st is notorious for its part in the GhostNet Operation uncovered in 2009, which targeted political, economic, and media organizations in more than 100 countries. The attackers quietly infiltrated computer systems connected to embassies and government offices. Even Dalai Lama’s Tibetan exile centers in India, London, and New York City were hacked. According to several research papers, the malware collected information, encrypted it, and sent it to the command-and-control server.

In the late 2000s, this RAT was available to download and use by anyone interested in hacking, wrote researcher David Martin in his paper, Gh0st in the Dshell: Decoding Undocumented Protocols: “It is relatively easy to locate a copy with nothing more than a search and a willingness to download software from one of several suspicious websites.”

Another infamous RAT was PoisonIvy, which surfaced in 2005. It was easy to download free of charge from its own website, and the fact that it was accessible helped it gain traction. Researchers at FireEye wrote that, in 2011, it was used in the attack against security organization RSA, and in the Nitro cyber-espionage campaign that targeted government agencies, defense contractors, chemical makers and human rights groups.

The DarkComet RAT was also easy to download and use. It was developed in 2008 by Jean-Pierre Lesueur, and a few years later it was used by the Syrian Government to spy on its citizens. It is believed that several people were arrested because of it. The RAT could take screenshots and steal passwords, among other things.

Soon after the connection with the Syrian regime was established, Lesueur stopped developing the RAT, saying in an interview for Wired: “I never imagined it would be used by a government for spying. If I had known that, I would never have created such a tool.”

Although he stopped developing DarkComet, others picked up from where he left off. The RAT ended up in the hands of several hacking groups, including APT38, sponsored by the North Korean government.

The impact of these tools can be devastating. Even more concerning is that their prices are often ridiculously low. One can buy a RAT for as little as $20, Valeros says.

The commoditization of RATs

The number of new RAT families exploded between 2011 and 2020. “We have more than 250 RATs in less than ten years,” Valeros says. CyberGate, NetWire, NanoCore, ImminentMonitor, Ozone RAT, OmniRAT, Luminosity Link, SpyNote, Android Voyager and WebMonitor were among them.

Luminosity Link, first seen in 2015, infected not just a couple of machines, but possibly hundreds. “It looks like a very professional tool,” Valeros says. It had an interface that was easy to use, and the developers thought about ways to best visualize information on victims.

In fact, RAT entrepreneurs often listened to customers when deciding what features to include. They were also expected to do much more than just provide the software. Sometimes, they even helped with hosting part of the infrastructure.

At times, they wanted to keep the lines blurred, claiming they built remote access tools, not Trojans. Quasar, for instance, is still advertised as legitimate software that could be used for a wide range of things including user support, administrative work and employee monitoring. Yet, the same piece of software has been seen in dangerous attacks such as those that targeted Ukraine in 2015. The same RAT was also used by the Chinese threat actor APT10. QuasarRAT is versatile—it works on Windows XP SP3, Windows Server 2003/2008/2012, and Windows 7, 8/8.1 and 10.

Most RATs are built for Windows machines, but a few, like NetWire and WebMonitor, are multi-platform and work on Mac, Linux and Android. The recent years saw a growth in Android RATs. Android Voyager, first seen in 2017, was among the better-known ones, but it now has serious competition. GravityRAT has recently started to target Android users. Security researchers noticed a piece of malicious code inserted in an Android travel app for Indian users.

Valeros says she expected more diversity when she started studying RATs. She soon discovered that the products currently sold are mostly “standardized,” that they are “not very different from each other.”

Most have the same structure. The program installed on the victim’s machine is called the server, and it’s designed to connect back to the attacker. The client is the software the attacker uses to monitor and control the victims, to visualize the infections, and to execute individual actions manually.

In addition to these basic RAT elements, there are also a few more jazzy ones, such as builder, crypter and plugins. The builder quickly creates new RAT servers, while the plugins add capabilities. The crypter is used to avoid detection by antivirus. Crypters read a program’s code and encrypt it with a key. They create a new program that includes the encrypted code and the key, which will automatically decrypt upon execution.

Some nation-state hackers tend to use common RATs that follow this structure rather than developing tools from scratch, Valeros says. “If you really want to hide yourself, maybe buying a RAT from some forum is the way to go.”

Valeros looked at RATs that were sold in 2019 and 2020 on marketplaces such as DaVinciCoders, Secret Hacker Society, buyallrat588, Dorian Docs, FUD Exploits, and Ultra Hacks. Android Voyager, for instance, was priced between $30 to $250.

The price variation is often connected to plugins and additional services, such as technical support. “The most successful RATs do not have a huge technological advantage, but better reviews, recommendations and, in the end, better marketing,” Valeros wrote in her Virus Bulletin 2020 paper.

While many threat actors will continue to use commodity RATs, a few will build their own, says Recorded Future’s Kaye. “The MuddyWater APT used some kind of bespoke-type RAT functionality.” In the years to come, she expects to see RATs with complex modules but also simple ones written in Python. “For the more modular ones, there are people writing new modules, because some RATs are open source,” Kaye says.

How to mitigate risk from RATs

In the beginning, RATs were about opening the CD tray and stealing passwords. “Nowadays, they can do almost everything,” says Avast security evangelist Luis Corrons. In 2020, he saw attackers using mostly njRAT, NanoCore RAT, Blackshades and SpyNet. Sometimes companies are slow to detect RATs. “We have seen attacks in which someone has been inside a company for half a year or a year and nobody noticed,” he says.

That’s why Corrons recommends monitoring the company’s network meticulously. “Everybody is going to get infected, and the sooner you detect it, the better, because if you detect it really early, you can avoid most of the damage,” he says.

He and Recorded Future’s Kaye say that most attacks still rely on social engineering techniques, so educating users is fundamental. “Let employees know how their IT services team will be contacting them,” Kaye says.

Europol, the European Union’s law enforcement agency, lists a few other things users could do:

• Make sure the firewall is active
• Keep software updated.
• Download software only from trusted sources.
• Regularly back up data.
• Do not click on suspicious links, pop-ups or dialog boxes.
• Do not click on links or attachments within unexpected or suspicious emails.

Europol also lists a few infection signs:

• The internet connection might be unusually slow.
• Files might be modified or deleted.
• Unknown processes might be visible in the Task Manager.
• Unknown programs might be installed and could be found in the Control Panel.