A R.A.T. (for Remote Access Tool, also called an R.C.S., for Remote Control System, a backdoor, or a trojan) refers to software that allows an operator to remotely control one or more systems, whether it be a computer, a smartphone, a server or an internet-connected printer.
Teamviewer
RATs are not always used for offensive operations, for example, you may know TeamViewer, which is often used for remote support and assistance (and by low-tech scammers).
In the context of offensive security, a RAT should be as stealthy as possible to avoid detection and is often remotely installed using exploits or phishing. The installation is often a 2 stage process:
- First, an extremely small program, called a dropper, stager, or downloader, is executed by the exploit or the malicious document
- This small program will then download the RAT itself and execute it.
This approach provides more reliability during the installation process and allows, for example, the RAT to be run entirely from memory, which reduces the traces left of the targeted systems.
Architecture of a RAT
Most of the time, a RAT is composed of 3 parts: • An agent, which is the payload that will be executed on the targeted system • A C&C (Command and Control or C2 or server) that is operated attack on his infrastructure • The client, which the RAT operator will use to send instruction which the C&C will forward to the agent
There are multiple C&C channels and methods including:
- Telegram with ToxicEye
- Social networks that are used as serverless C&C. Commands for agents are hidden in comments or tweet
- DNS which has the least probability of being blocked
- Peer to Peer, such as the case of ZeroAccess
- External drives such as USB key (see Newcore)
Known RAT
DarkComet is developed by Jean-Pierre Lesueur (known as DarkCoderSc), a programmer from France, it became (in)famous after being used by the Syrian government to steal information from the computers of activists fighting to overthrow it. Meterpreter (from the famous Metasploit offensive security suite), is defined by its creators as “an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.”. Cobalt Strike is an advanced attack platform developed and sold for red teams. It’s mainly known for its advanced customization possibilities, such as its Malleable C2 which allow operators to personalize the C2 protocol and thus reduce detection. Pegasus is an Israeli spyware which was used to spy on a lot of civilians, and reporters. This spyware was already covered in 2018 and 2020, but there was a scandal aaout in July 2021