A RAT (Remote Access Trojan) is a type of malicious program popular among cybercriminals. The level of obfuscation significantly separates RAT malware sophistication. The primary aspect of RAT's is to steal information from a specific user or group of users. A downloader that allows malicious software to infiltrate and infect the target system.
On October’21, Cisco Talos discovered a malware campaign where the majority of the victims were based in United States, Italy, and Singapore. According to Cisco Talos, the threat actor exploited cloud services to deploy and deliver variations of commodity RATs with information-stealing capabilities. Cloud services such as Azure and AWS are used by threat actors because they are simple to set up and maintain, making it more difficult for defenders to detect and prevent campaigns.
The Remote Administration Tools (RATs) versions are loaded with capabilities that allow them to take control of the victim's environment, execute arbitrary commands remotely, and steal the victim's information.
Nanocore is a 32-bit .NET portable executable that is widely used by threat actors in their campaigns. The plugins are used by the RAT to handle communications with the C2 server, and the SurveillanceEX plugin provides video and audio capture and the remote desktop capability.
NetwireRAT is a well-known malware that cybercriminals exploit to steal victims' passwords, login credentials, and credit card information. Threat actors in this campaign use the NetwireRAT client, which offers the ability to execute commands remotely and collect file-system information.
AsyncRAT is a remote access tool meant to remotely monitor and control computers through a secure, encrypted connection. Threat actors in this campaign use the AsyncRAT client by setting its configuration to connect to the C2 server and provide the attacker with remote access to the victim's machine.