RTAs spread RATs in Cloud Services

What is a RAT?

A RAT (Remote Access Trojan) is a type of malicious program popular among cybercriminals. The level of obfuscation significantly separates RAT malware sophistication. The primary aspect of RAT's is to steal information from a specific user or group of users. A downloader that allows malicious software to infiltrate and infect the target system.

On October’21, Cisco Talos discovered a malware campaign where the majority of the victims were based in United States, Italy, and Singapore. According to Cisco Talos, the threat actor exploited cloud services to deploy and deliver variations of commodity RATs with information-stealing capabilities. Cloud services such as Azure and AWS are used by threat actors because they are simple to set up and maintain, making it more difficult for defenders to detect and prevent campaigns.

Threat Actor Exploitations!

• The attackers used complex obfuscation techniques in the downloader script.
• The actor used the DuckDNS dynamic DNS service to change the domain names of the Command center (C2) hosts.

DuckDNS is a free, dynamic DNS service that provides a public DNS server service, allowing the user to create subdomains and maintain the records using the DuckDNS scripts.

RATs Swarm Their Target

The Remote Administration Tools (RATs) versions are loaded with capabilities that allow them to take control of the victim's environment, execute arbitrary commands remotely, and steal the victim's information. Nanocore is a 32-bit .NET portable executable that is widely used by threat actors in their campaigns. The plugins are used by the RAT to handle communications with the C2 server, and the SurveillanceEX plugin provides video and audio capture and the remote desktop capability.

NetwireRAT is a well-known malware that cybercriminals exploit to steal victims' passwords, login credentials, and credit card information. Threat actors in this campaign use the NetwireRAT client, which offers the ability to execute commands remotely and collect file-system information.

AsyncRAT is a remote access tool meant to remotely monitor and control computers through a secure, encrypted connection. Threat actors in this campaign use the AsyncRAT client by setting its configuration to connect to the C2 server and provide the attacker with remote access to the victim's machine.

Stay Ahead of Threats!

• Deploy comprehensive multi-layered security controls
• Implement continuous monitoring of network activity
• Implement zero trust network
• Improve the email security to detect and mitigate malicious email messages

Back Blogs