Remote Access Tools (RATs) have been used by hackers since the ‘nineties. One of the first was an open-source program, Back Orifice which was created by the cDc hackers (Cult of the Dead Cow) to supposedly demonstrate Windows OS vulnerabilities. This malware is used for many cyber-crime purposes though is basically a trojan that facilitates remote control of the system, providing a back-door for further infiltrations. RATs were usually delivered via an e-mail attachment or a file in peer-to-peer networks. This contains a payload of malware that can make detection easier.
Research has uncovered the re-emergence of a hack to make detection even more difficult. This involves the the payload file going to the memory and never being present in an unencrypted state on the disk. It hides the malware from conventional scanning even by advanced AV software that uses file-based recognition. To make the situation even more difficult, samples have shown that some of these updated trojans have the new ability to recognize virtual environments and suspend activity. This evades a network sandbox analysis.
A previous example of a file-less trojan RAT is Poweliks which emerged in 2014 and was used for click-fraud. These trojans are often used for one-time intelligence gathering that the hacker uses to determine what further malware to introduce – sort of like market research, or a recon. Being resident in the memory can also enable the malware to escalate Privilege within the system.
SentinelOne’s Joseph Landry explains that while this is a problem, there is a way to detect these advanced trojans by “…monitoring all processes at the user-space/kernel-space interface – and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points“.
This new wave of smart trojans is currently being deployed across the Asian malware market, though they will undoubtedly be seen (or not!) in many sectors in future.