The Year of the RAT: Don’t let your IT turn into a RAT’s nest

The first blog of this series established that well-planned cybersecurity is necessary to achieve sustainable protection against the mutating threats that are Remote Access Trojans (RATs). We also identified how local protections through endpoint solutions can effectively contain malware.

If we’ve learned anything about remote access threats, it’s that it would be overly optimistic to believe that RATs can’t reach any of your systems. It’s better to believe they can – and will – get into your infrastructure either through a complex attack, or thanks to a simple and unintentional mistake by one of your employees.

RATs do not only attack isolated endpoints. They like to spread, as long as they have at their disposal the appropriate set of tools. Fortunately, solutions exist to enforce perimetric protection and block contamination.

A RAT’s Goal: Spread as widely as possible

Infecting a single system is a lot of effort for little reward. The real objective is to infiltrate even further; corrupting a full network is much more interesting. The intentions are obvious:

  • Exfiltrate critical data to resell for profit or for industrial espionage purposes
  • Encrypt systems, block an entire organization and hold it for ransom

Deploying a large number of malware allows a Botnet to grow, which empowers the attacker even further.

How do hackers take advantage of their control over thousands of systems?

  • One simple example is cryptomining. This activity has become so resource-intensive that cybercriminals now seek third-party systems to grow their wallet. The attacker leverages your digital resources’ computing capabilities in order to illegally mine bitcoin.
  • Another way to exploit a network is to use it as a proxy to cover elaborate attacks. Cyberattacks usually rely on Command and Control center (C&C) to either exfiltrate internal data or to send instructions to the already-installed malware. The anonymity of the C&C is critical; your infected endpoints will be used to cover communications.
  • Ultimately, cybercrime organizations will use your infrastructure to launch elaborate DDOS attacks against high-profile targets such as government or critical infrastructures, while remaining anonymous.

How does a RAT expand its nest?

As shown in the previous blog, malware like Remote Access Trojans are already equipped to elevate privileges or compromise accounts. So, once installed on a system, how does the RAT replicate on the network?

First it will identify new targets. To do so it can leverage a few different approaches:

  • It can rely on the endpoint administration tools such as Net view or Nmap
  • It might already have its own tools adapted to the attack
  • Or it can establish communication with its Command & Control center (C&C) and download new capabilities adapted to your environment.

Generally, any of these tools allow the malware to scan the network and/or Active Directories in order to identify weak systems as future victims. Once a system is identified, the RAT propagates directly to this system or uses a known exploit to breach it.

Step by step, the malware will detect all weak systems within the environment and gain more and more privileges to gain access to the maximum number of systems.

Don’t let your IT turn into a RAT’s nest

One key strategy to protect your infrastructure against a RAT infestation is to ensure that it can’t spread, thanks to robust, tailored security measures.

  • If the RAT can’t access a system, it can’t control it. Establish strong access control by ensuring that only the right user can connect to the right system, under the proper conditions
  • If the RAT can’t reproduce, it can’t spread. Advanced anti-bouncing mechanisms prevent programs and processes from trying to connect to others across the network
  • If the RAT can’t eat, it can’t grow. Even if an asset is breached, powerful session monitoring tools ensure that only authorized activities are performed on that asset. Malicious attempts to corrupt a system are simply blocked.

Privileged Access Management (PAM) solutions provide straightforward security defenses to prevent a RAT from spreading within and across your IT environment:

  • Critical assets can be accessed only by authorized users under authorized circumstances. Even a compromised privileged account won’t allow unrestricted access to a resource.
  • Actions performed during a session are fully recorded but are also analyzed in real-time. Unauthorized actions and processes are caught automatically and blocked before they are executed.
  • Most advanced PAM solutions include anti-bouncing capabilities, blocking any connection attempt from a critical asset.

With a well-implemented PAM solution in place, security and peace of mind are made simple. RAT infestation attempts are easily stopped empowering you to maintain the integrity of your IT, without disrupting users’ tasks.

Last but not least, the final blog in this series will focus on the mitigation of external contamination vectors to ensure that your IT team can safely operate with third-party service providers and external contractors, without putting your infrastructure at risk from remote access.