Remote access trojans (RATs) are a specific type of malware that allows cybercriminals to gain unauthorized access to a victim’s computer or network. Unfortunately, these malicious programs can be disguised as legitimate-looking software and therefore be installed by the user themselves.

Once it’s installed on your system, it gives an attacker the control to perform all kinds of illicit activities. Unlike other malware, RATs are extremely dangerous since they can operate for a long period of time without being noticed.

With comprehensive analysis of your mobile application’s security, Verimatrix’s Mobile Application Security Testing service detects potential vulnerabilities that may lead to the infiltration of RATs or other malware.  Try it out now!

How does a remote access trojan work?

RATs operate by exploiting weaknesses in the software or by means of social engineering attacks to gain entry to a victim’s system. Most of the time, the RAT attack is initiated by the  delivery of malware via email attachments, malicious downloads, or infected websites. Once the user unknowingly installs the RAT, it can begin to run undetected in the background.

A RAT allows the attacker to:

  • Monitor user keystrokes and steal credentials.
  • Gain access to files and sensitive information stored on the computer.
  • Install other malware or ransomware.
  • Control the device’s hardware, such as enabling the webcam or microphone.

Why are remote access trojans a serious threat?

The threat posed by RATs is serious; through them, attackers can gain full control over a victim’s system. The ability to operate under the radar and persist in systems makes RAT infections very hard to remove and therefore potentially a lot more damaging.

Data theft

 Using RATs, important information including credit card numbers, passwords, and personal identification numbers can be captured. The attacker may sell such information on the dark net or use it to perform identity theft.

Spying and surveillance

 Through certain capabilities, a RAT can make a victim’s device turn into a spying tool that might include turning on the camera, recording audio, or monitoring browsing activity without the victim’s knowledge.

Operational disruption

 A RAT infection can result in loss of intellectual property, business disruption, and a loss from a financial perspective.

Ransomware deployment

 RATs have also been utilized by attackers in an attempt to leverage the infection and spread ransomware across a network, consequently extorting money from all victims who want access to their data returned.

Types of remote access trojans

An infographic that lists down the different types of remote access trojans (RATs).

There exist many types of remote access trojans, which have different functionalities and attack vectors. The following are some of the most common:

Basic RATs

Basic RATs are the simplest form of this malware, yet still highly dangerous. This type of RAT enables an attacker to have full control over the victim’s computer, commanding the remote execution of system functions as if they were in front of that victim’s PC. 

While basic RATs seldom have high-end stealth functions, such simplicity makes them very adaptable; hence, most of the time these are used in targeted attacks where the intruder already has some idea as to what they want.

  • Access files and directories: An attacker is able to read and modify or delete files on an infected system.
  • Execute remote commands: They can perform any command on the victim’s system, install or delete any software, and even control hardware, such as webcams.

Keylogger RATs

Keylogger RATs are designed to capture keystrokes from an infected device. These allow the attackers to steal sensitive information such as passwords, login credentials, and personal identification numbers (PINs). Keylogger RATs are often used in conjunction with other malware to maximize the amount of information attackers can steal from their victims.

  • Records all user inputs: It logs every keystroke, even the ones that access online banking, social media accounts, and other sensitive platforms, sending them back to the attacker.
  • Bypasses encryption: Even if communication between the user and a website is encrypted, the RAT captures the keystrokes before they are encrypted, allowing attackers to gather sensitive data.

Rootkit RATs

Rootkit-based RATs marry the functionality of a RAT with the stealth capabilities of a rootkit, hence making them very hard to trace. A rootkit RAT digs into the system’s kernel and modifies core operating system files that hide the malware itself. 

  • Persistence: The rootkit-based RATs can survive in the system even after rebooting the system or scanning.
  • Hide other malware: In many cases, the RAT hides other malware, like keyloggers, ransomware, or botnets, from detection by antivirus software.
  • Admin privilege: Rootkit RATs often elevate their privileges to the highest level in order to give unrestricted access to attackers.

Distributed RATs (D-RATs)

Distributed RATs, or D-RATs, are often used to create large networks of infected devices known as botnets. Such botnets can then generally be used in wide-scale attacks, including:

  • Distributed Denial-of-Service (DDoS) attacks: The botnets, powered by a D-RAT, can overwhelm websites or networks with heavy traffic in order to make them unavailable for actual users.
  • Spam campaigns: D-RATs can hijack infected devices to send out spam emails; these could be further malware or phishing attempts.
  • Crypto-mining: Some D-RATs can be used to secretly mine cryptocurrency on behalf of the attacker—also known as cryptojacking—by utilizing the victim’s computing resources.

Hybrid RATs

Hybrid RATs combine multiple functionalities, making them extremely versatile. A good example of a hybrid RAT includes keylogging, file access, and the ability to install additional malware. 

These RATs are designed to adapt easily; therefore, their exact behavior may differ given an attacker’s objective. Hybrid RATs are more flexible, hence they are among the favorite choices for APT campaigns where an attacker needs to stay undetected while gradually expanding control over a system or network.

  • Modular design: Hybrid RATs are capable of downloading new modules at any given time, something that enables attackers to improve the malware for specific purposes.
  • Remote control: Attackers can control multiple aspects of the victim’s system, including the ability to install further malicious software.
  • Multi-platform capability: Hybrid RATs are designed to infect multiple platforms, including Windows, macOS, Android, and even Linux systems.

Mobile remote access trojans (mRATs)

Mobile RATs, specifically Android RATs, are a growing threat in the mobile ecosystem. Given the massive amount of personal and sensitive data stored on smartphones, mRATs are particularly dangerous and can cause significant harm if not quickly detected and removed.

  • Read/send text messages and call logs: mRATs can read and manipulate SMS messages, enabling attackers to intercept 2FA authentication codes.
  • Monitor communications: Some mRATs have the ability to intercept phone conversations or record them.
  • Remote control of the device: Just like desktop RATs, the mRAT can enable an attacker to control the device remotely and carry out actions that range from installing applications to changing settings, even to locking the user out of his or her own device.

Ransomware-deploying RATs

Certain RATs are used as a delivery mechanism for ransomware. In such cases, these RATs normally provide preliminary access to the system, through which ransomware is then installed to encrypt the target’s files. 

Ransomware-deploying RATs are used in targeted attacks against businesses and government organizations where an individual or organization has valuable data. Key features of ransomware-deploying RATs include:

  • Stealthy operation: The RAT can work in the background of the computer until the attacker decides to implement the ransomware.
  • Widespread damage: Once it gets inside, the ransomware spreads throughout the system, which further encrypts the data and afterward demands a ransom for its release.
  • Persistence: Even after the ransom is paid and the files are decrypted, the RAT may remain on the system, allowing the attacker to repeat the attack in the future.

How to detect remote access trojans

It can be quite difficult to identify a remote access trojan since many of them are created to keep their activities undetected for as long as possible. However, there are a few signs that might hint at a possible RAT infection:

  • Unusual system behavior: If the system suddenly becomes slow, often crashes, or acts in some other erratic manner, it could be a RAT.
  • Increased network activity: Although RATs do not communicate much with remote servers, an unusual increase in the outbound traffic may be a sign.
  • Unwanted pop-ups or files: In case unknown files have been popping up in your system or you start getting unwanted pop-ups, this could be a sign of RAT infection.
  • Strange activity on accounts: A RAT can capture login credentials. If suspicious logins or unauthorized actions occur to your accounts, it could well be a RAT.

How to get rid of a remote access trojan?

If you suspect or have discovered a RAT on your system, the sooner you take action, the less damage it can cause. Here’s how to remove a remote access trojan: 

  1. Disconnect it from the internet: This will prevent the RAT from reaching out to its command-and-control server. 
  2. Perform a full antivirus scan: Use a reputable antivirus solution to scan your system for any malicious files or software. Make sure to update your antivirus definitions beforehand.
  3. Delete malicious files: Follow the instructions of the antivirus solution and remove the RAT files in your system. 
  4. Restore the system to a previous state: If possible, restore your system to a backup point before the RAT infection took place. 
  5. Reset passwords: Change all passwords for accounts accessed via the infected system as attackers may have captured your login credentials.
  6. Reformat the device (if necessary): In the worst case where the RAT persists, you may have to wipe your system completely and reinstall the operating system.

How to protect against remote access trojans?

Prevention is always better than cure. Here are some best practices on how to protect against remote access trojans:

  1. Use strong security software: Ensure that you have up-to-date antivirus and anti-malware software installed on all devices, including mobile devices.
  2. Be wary of suspicious links and attachments: Avoid clicking on any unknown links or downloading any attachments from untrusted emails or websites. 
  3. Regularly update software: Most RATs prey on vulnerabilities in outdated software. A great way to reduce the chances of an attack is to keep your operating system and applications updated. 
  4. Enable a firewall: This prevents unauthorized infiltration into your system due to the filtering of inbound and outbound traffic. 
  5. Monitor app permissions: App permissions, especially those that ask for access to the camera, microphone, or storage, must be kept in check on mobile devices. 
  6. Use multi-factor authentication: Enable multi-factor authentication for accounts such that attackers wouldn’t be able to get into them even if credentials were captured.
  7. Conduct regular security audits: Periodically inspect your systems for suspicious activities and vulnerabilities that may allow for breaches. Consider using penetration testing tools with which you can test for weakpoints in your network’s security.

Run a mobile app security test before it’s too late

If left unchecked, a RAT can bring quite a bit of hurt to both personal and business systems. Knowing how to catch these RATs can help in the effort of implementing good security practices that will protect your systems from this insidious type of malware. 

Since RATs can evade detection and linger undetected, it’s critical to regularly test your mobile apps for security vulnerabilities using services like Verimatrix’s mobile app security test, which provides actionable insights to help secure your app.