Remote access trojans (RATs) are malware that allows threat actors to take full remote control of infected endpoints. RATs disguise as legitimate software or are delivered through phishing emails. When a RAT infects an endpoint, it automatically establishes communication with a command and control (C2) server. One of the key features of a remote access trojan is executing a set of commands it receives from its C2 server on the infected endpoint. Also, it can send data back to the C2 server.
Common capabilities of RATs
- Threat actors use RATs to steal sensitive information from browsers and email clients on infected endpoints. This malware also allows threat actors to log the keystrokes of users on infected endpoints. The RAT then sends the stolen information to a C2 server.
- Threat actors use remote access trojans to mine Bitcoin and other cryptocurrencies on infected endpoints. A threat actor group known as Panda has earned a high amount of dollars in cryptocurrency by spreading RATs across multiple devices.
- RATs can delete, create or modify files on infected endpoints. They can also download malicious files to assist in their malicious activities.
- RATs can distribute viruses and other types of malware. For example, RATs can be used to launch ransomware.
- Threat actors can deploy RATs on many infected endpoints and use these endpoints to launch distributed denial of service (DDoS) attacks on target servers.
- Threat actors use RATs to control infected endpoints remotely. For example, a RAT can receive commands from a C2 server and execute such commands on the infected endpoint.
How remote access trojans infect endpoints
Remote access trojans infect endpoints through phishing emails, malware posing as legitimate programs, malicious web links, and unpatched vulnerabilities. Threat actors can also install a RAT after gaining physical access to an endpoint.
Impact of remote access trojan attacks on organizations
Remote access trojan attacks can have devastating impacts on organizations in the following ways:
- Access to sensitive information and loss of customer confidence: Customer data like credit cards, bank accounts, and personal identifiable information are usually stored on computer systems. Threat actors can infect these systems with RATs to steal customer information and then use this stolen information to commit crimes. When customers discover that an organization’s compromised systems were responsible for a data leak, they lose trust in the organization.
- Financial consequences: Organizations are faced with the cost of legal actions, damages, or regulatory fines when threat actors compromise their customers’ information due to a trojan attack.
- Disruption to business operations: A remote access trojan can disrupt an organization’s business operations by modifying or deleting data needed to perform such operations.
How Wazuh detects remote access trojan attacks
Remote access trojan attacks usually involve several malicious activities being performed on infected endpoints. These activities may include manipulating files, making changes to Windows registries, recording users’ keystrokes, and installing additional malicious software. Wazuh has out-of-the-box capabilities that can detect all these activities in near real-time.
Wazuh is a free and open source enterprise-ready security solution that provides unified SIEM and XDR protection across several workloads. It provides a centralized view for threat detection and security monitoring across virtualized, on-premises, cloud-based, and containerized environments.
Wazuh offers several capabilities that organizations can implement to prevent, detect and respond to security threats. This section highlights several Wazuh capabilities that offer protection against remote access trojan attacks.
File integrity monitoring
The File Integrity Monitoring (FIM) module monitors an endpoint’s files and directories. It triggers an alert when there is a file creation, modification, or deletion. The Wazuh FIM module stores the cryptographic checksum and other attributes of files and Windows registry keys to detect when there is a change in those values. Monitoring of files, directories, and Windows registries is done periodically or in near real-time.
Most remote access trojan attacks involve file creation, modification, or deletion. The Wazuh FIM module is used to detect when these files are created, modified, or deleted. The FIM module can be integrated with VirusTotal and YARA to scan for malicious files on endpoints. For example, in this blog post, we demonstrate how the Wazuh FIM module is used to detect STRRAT malware. Figure 1 below shows the detection of STRRAT malware with the Wazuh FIM module.
Vulnerability detection
Vulnerability detection is the process of identifying security weaknesses in the operating system and applications installed on monitored endpoints. Wazuh uses the Vulnerability Detector module to detect vulnerabilities on monitored endpoints. The Wazuh Vulnerability Detector module can discover unpatched vulnerabilities on endpoints that remote access trojans can exploit. Wazuh builds a global vulnerability database from publicly available Common Vulnerabilities and Exposures (CVE) repositories. Wazuh then uses this database to cross-correlate the application inventory data collected from monitored endpoints to detect vulnerable software.
Command monitoring
Wazuh has a command monitoring module that monitors the output of specific commands that are executed on monitored endpoints. Remote access trojan attacks involve the execution of a set of commands on infected endpoints. The Wazuh command monitoring module can be used to monitor the output of commands executed by RATs. As demonstrated in this blog post, the Wazuh command monitoring module detected a Windows-scheduled task called Skype, created by STRRAT malware. The screenshot below shows the detection of the Windows scheduled task with the command monitoring module.
Conclusion
Remote access trojans usually run as legitimate applications and can stay undetected in organizations for an extended period of time when they fail to implement adequate security solutions. The impact of remote access trojan attacks is highly devastating to organizations. Because of this, organizations must effectively detect remote access trojan attacks. This can be attained by leveraging various capabilities of Wazuh.
Wazuh is a free and open source XDR solution with several modules for cyber threat detection and response. Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported.