What is a RAT?In the late 1990s, when the internet was still young, it was common for tech-savvy kids to scare their friends by controlling their PCs remotely. They would eject the CD tray, swap the mouse buttons, or change the desktop colors. To the unwitting user, it looked like a ghost was taking over the machine.Those were the years that marked the birth of remote access Trojans (RATs), malicious software that allows an attacker to gain unauthorized access to a victim\u2019s computer over the internet. RATs are typically installed without user consent and remain hidden to avoid detection.These things set them apart from a benign type of software with a somewhat similar name, Remote Access\/Administration Tool. This category includes computer programs such as TeamViewer or LogMeIn that are legitimately used by system administrators, as well as teenagers trying to fix their grandparents\u2019 PCs.It\u2019s the malicious remote access software that interests security researchers Veronica Valeros and Sebastian Garc\u00eda at the Czech Technical University in Prague. The two have spent the last few years trying to analyze the evolution of this type of malware, studying no less than 337 well-known families, looking at things such as functionalities, quality of the software, and purpose.Valeros said during a Virus Bulletin 2020 presentation that the number of RAT families grew rapidly in recent years. She counted more than 250 RATs that surfaced in the 2010s as opposed to just 70 in the 2000s. \u201cThe number of RATs really, really took off,\u201d Valeros said. \u201cWhile most of the previous ones were focusing on Windows, we saw some diversity\u2014other platforms like Mac, Linux, and Android were being supported.\u201dWhile ransomware families come and go, RATs are known for their longevity and reemergence, says another researcher, Lindsay Kaye, the director of operational outcomes for Insikt Group at Recorded Future. \u201cSome of the RATs have been out for ten years now, and they're still getting used,\u201d she says. \u201cThey kind of go down a little bit, and then they come back.\u201dRATs have become essential for any type of cybercriminal activity, being used by cybercriminals, nation-state hackers, as well as stalkers. The market has matured. RATs have come a long way since NokNok knocked on Windows computers and launched this new chapter in computer security history.RATs created for funThe oldest legitimate remote access software was built in the late 1980s, when tools such as NetSupport appeared. Soon after that, in 1996, their first malicious counterparts were created. NokNok and D.I.R.T. were among the first, followed by NetBus, Back Orifice and SubSeven.These tools were built for amusement or just to show that it can be done. Yet, they were \u201cinnovative and disruptive,\u201d Valeros says. NetBus, for instance, was created by Carl-Fredrik Neikter in 1998, and its name, translated from Swedish, means \u201cNetPrank.\u201dThe developer claimed he didn\u2019t want NetBus to be used maliciously, saying it was \u201ca legit remote admin tool,\u201d security researcher Seth Kulakow wrote in a paper he published with the SANS Institute. \u201cHowever, if you didn\u2019t already figure it out, it is still a very nice tool to use for the other purpose,\u201d Kulakow wrote.Which is exactly what happened. In 1999, someone downloaded NetBus and targeted Magnus Eriksson, a law professor at Lund University in Sweden. The attacker planted 12,000 pornographic images on his computer, 3,500 of which featured child pornography. The system administrators discovered them, and the law professor lost his job.\u201cFor me it was unbelievable,\u201d Eriksson told Swedish publication Expressen. The media scandal that followed forced him to leave the country, and although he was acquitted in 2004, the damage was considerable. \u201cI can never get back the lost years,\u201d Eriksson said.NetBus inspired others, including the infamous Sub7 or SubSeven. As a matter of fact, it is believed that Sub7 is NetBus spelled backward, with the \u201cten\u201d replaced by \u201cseven.\u201d SubSeven, allegedly built by mobman, took the game to a whole new level. It reached global popularity, and its features clearly set it apart from the legitimate remote access tool. SubSeven could be used, for instance, to steal passwords and hide its identity, things a reasonable system administrator shouldn't do.\u201cOnce SubSeven is installed, hackers can initiate attacks that range from mildly irritating to extremely detrimental,\u201d wrote security researcher Jamie Crapanzano in his paper Deconstructing SubSeven, the Trojan Horse of Choice. \u201c[T]he more notable capabilities provided by SubSeven are the ability to restart Windows on the victim\u2019s computer, reverse mouse buttons, record sound files from the microphone attached to the compromised machine, record images from an attached video camera, change desktop colors, open\/close the CD-ROM drive, record screen shots of the victim\u2019s computer and turn the victim\u2019s monitor off\/on,\u201d Crapanzano wrote.Yet, it wasn\u2019t all about having fun. Around that time, other hackers claimed they built RATs to make a statement. The Cult of the Dead Cow created Back Orifice, a name that takes inspiration from Microsoft\u2019s BackOffice Server software.Back Orifice was mostly the work of Josh Buchbinder, a hacker better known as "Sir Dystic," a handle based on a comic book character from the 1930s. This character tries to do evil things \u201cbut always bungles it and ends up doing good inadvertently,\u201d Buchbinder said in the movie Disinformation.The Cult of the Dead Cow members launched Back Orifice at DEF CON 6 in Las Vegas in August 1998, and said it was meant to raise awareness of security flaws found in Microsoft software. "Our position is that Windows is a fundamentally broken product," said Death Veggie, the Cult's minister of propaganda.At the end of the 1990s, there were at least 16 RATs, security researcher Valeros says. During the next decade, however, malware authors focused less on the fun factor and more on making money.RATs for profit and espionageIn the 2000s, RAT authors were not naive kids who wanted to see how far they could go. Most of them were familiar with tools such as NetBus, SubSeven or Back Orifice, and they knew exactly what they were doing.Take Beast, a RAT first seen in 2002. It kept some of the early Trojans features\u2014it has \u201cFun Stuff\u201d and \u201cLamer Stuff\u201d\u2014but was capable of doing more complex things, Valeros says. It used a client\/server architecture, just like Back Orifice, but it was among the first to include a reverse connection to its victims. The client connects to the attacked computer at port number 6666 (close enough to the number of the beast), while the server opens connections back to the client using port number 9999. Beast was also capable of bypassing a firewall and killing antivirus processes, and it came with a file binder that could join several files together into one executable.The more features RATs got, the more appealing they became. Soon, they started to be used as part of more complex attacks by cybercriminals and state-sponsored attackers alike. There was a clear distinction between authors and operators, Valeros says.Gh0st was among the most prolific remote access trojans of its time. It was developed by a Chinese group that went by the name C. Rufus Security Team. The first version surfaced in 2001, according to Valeros, but it only gained popularity a few years after.Gh0st is notorious for its part in the GhostNet Operation uncovered in 2009, which targeted political, economic, and media organizations in more than 100 countries. The attackers quietly infiltrated computer systems connected to embassies and government offices. Even Dalai Lama\u2019s Tibetan exile centers in India, London, and New York City were hacked. According to several research papers, the malware collected information, encrypted it, and sent it to the command-and-control server.In the late 2000s, this RAT was available to download and use by anyone interested in hacking, wrote researcher David Martin in his paper, Gh0st in the Dshell: Decoding Undocumented Protocols: \u201cIt is relatively easy to locate a copy with nothing more than a search and a willingness to download software from one of several suspicious websites.\u201dAnother infamous RAT was PoisonIvy, which surfaced in 2005. It was easy to download free of charge from its own website, and the fact that it was accessible helped it gain traction. Researchers at FireEye wrote that, in 2011, it was used in the attack against security organization RSA, and in the Nitro cyber-espionage campaign that targeted government agencies, defense contractors, chemical makers and human rights groups.The DarkComet RAT was also easy to download and use. It was developed in 2008 by Jean-Pierre Lesueur, and a few years later it was used by the Syrian Government to spy on its citizens. It is believed that several people were arrested because of it. The RAT could take screenshots and steal passwords, among other things.Soon after the connection with the Syrian regime was established, Lesueur stopped developing the RAT, saying in an interview for Wired: \u201cI never imagined it would be used by a government for spying. If I had known that, I would never have created such a tool.\u201dAlthough he stopped developing DarkComet, others picked up from where he left off. The RAT ended up in the hands of several hacking groups, including APT38, sponsored by the North Korean government.The impact of these tools can be devastating. Even more concerning is that their prices are often ridiculously low. One can buy a RAT for as little as $20, Valeros says.The commoditization of RATsThe number of new RAT families exploded between 2011 and 2020. \u201cWe have more than 250 RATs in less than ten years,\u201d Valeros says. CyberGate, NetWire, NanoCore, ImminentMonitor, Ozone RAT, OmniRAT, Luminosity Link, SpyNote, Android Voyager and WebMonitor were among them.Luminosity Link, first seen in 2015, infected not just a couple of machines, but possibly hundreds. \u201cIt looks like a very professional tool,\u201d Valeros says. It had an interface that was easy to use, and the developers thought about ways to best visualize information on victims.In fact, RAT entrepreneurs often listened to customers when deciding what features to include. They were also expected to do much more than just provide the software. Sometimes, they even helped with hosting part of the infrastructure.At times, they wanted to keep the lines blurred, claiming they built remote access tools, not Trojans. Quasar, for instance, is still advertised as legitimate software that could be used for a wide range of things including user support, administrative work and employee monitoring. Yet, the same piece of software has been seen in dangerous attacks such as those that targeted Ukraine in 2015. The same RAT was also used by the Chinese threat actor APT10. QuasarRAT is versatile\u2014it works on Windows XP SP3, Windows Server 2003\/2008\/2012, and Windows 7, 8\/8.1 and 10.Most RATs are built for Windows machines, but a few, like NetWire and WebMonitor, are multi-platform and work on Mac, Linux and Android. The recent years saw a growth in Android RATs. Android Voyager, first seen in 2017, was among the better-known ones, but it now has serious competition. GravityRAT has recently started to target Android users. Security researchers noticed a piece of malicious code inserted in an Android travel app for Indian users.Valeros says she expected more diversity when she started studying RATs. She soon discovered that the products currently sold are mostly \u201cstandardized,\u201d that they are \u201cnot very different from each other.\u201dMost have the same structure. The program installed on the victim\u2019s machine is called the server, and it\u2019s designed to connect back to the attacker. The client is the software the attacker uses to monitor and control the victims, to visualize the infections, and to execute individual actions manually.In addition to these basic RAT elements, there are also a few more jazzy ones, such as builder, crypter and plugins. The builder quickly creates new RAT servers, while the plugins add capabilities. The crypter is used to avoid detection by antivirus. Crypters read a program\u2019s code and encrypt it with a key. They create a new program that includes the encrypted code and the key, which will automatically decrypt upon execution.Some nation-state hackers tend to use common RATs that follow this structure rather than developing tools from scratch, Valeros says. \u201cIf you really want to hide yourself, maybe buying a RAT from some forum is the way to go.\u201dValeros looked at RATs that were sold in 2019 and 2020 on marketplaces such as DaVinciCoders, Secret Hacker Society, buyallrat588, Dorian Docs, FUD Exploits, and Ultra Hacks. Android Voyager, for instance, was priced between $30 to $250.The price variation is often connected to plugins and additional services, such as technical support. \u201cThe most successful RATs do not have a huge technological advantage, but better reviews, recommendations and, in the end, better marketing,\u201d Valeros wrote in her Virus Bulletin 2020 paper.While many threat actors will continue to use commodity RATs, a few will build their own, says Recorded Future\u2019s Kaye. \u201cThe MuddyWater APT used some kind of bespoke-type RAT functionality.\u201d In the years to come, she expects to see RATs with complex modules but also simple ones written in Python. \u201cFor the more modular ones, there are people writing new modules, because some RATs are open source,\u201d Kaye says.How to mitigate risk from RATsIn the beginning, RATs were about opening the CD tray and stealing passwords. \u201cNowadays, they can do almost everything,\u201d says Avast security evangelist Luis Corrons. In 2020, he saw attackers using mostly njRAT, NanoCore RAT, Blackshades and SpyNet. Sometimes companies are slow to detect RATs. \u201cWe have seen attacks in which someone has been inside a company for half a year or a year and nobody noticed,\u201d he says.That\u2019s why Corrons recommends monitoring the company\u2019s network meticulously. \u201cEverybody is going to get infected, and the sooner you detect it, the better, because if you detect it really early, you can avoid most of the damage,\u201d he says.He and Recorded Future\u2019s Kaye say that most attacks still rely on social engineering techniques, so educating users is fundamental. \u201cLet employees know how their IT services team will be contacting them,\u201d Kaye says.Europol, the European Union\u2019s law enforcement agency, lists a few other things users could do:Make sure the firewall is activeKeep software updated.Download software only from trusted sources.Regularly back up data.Do not click on suspicious links, pop-ups or dialog boxes.Do not click on links or attachments within unexpected or suspicious emails.Europol also lists a few infection signs:The internet connection might be unusually slow.Files might be modified or deleted.Unknown processes might be visible in the Task Manager.Unknown programs might be installed and could be found in the Control Panel.