Over the years, Remote Access Trojans (RATs) have become increasingly difficult to detect. This is partly because RATs are starting to behave in ways that many firewalls and other cybersecurity tools don’t perceive as malicious. For instance, they leverage legitimate network ports on infected endpoints, which is a common enough action that most security tools won’t flag it. What makes all of this particularly troubling is the ease with which RATs can be procured. Today, hackers on the dark web will sell these as ready-made intrusion tools.
The most recent example of such a RAT was discovered early this year. This nameless menace is arguably one of the most clandestine RATs to date.
Leveraging DNS TXT
This new Trojan, which was discovered by Cisco Talos, is unique in that it uses domain name system (DNS) queries to smuggle in commands from the remote user. The infection starts as a Word document sent via an email service that claims to be protected. The recipient of that email is directed to enable macros. Upon opening the document and running that macro, the intrusion begins.
A Visual Basic for Applications (VBA) macro will then execute PowerShell commands to put the back door on the computer, according to Ars Technica. The second stage of PowerShell will determine if the hacker has been granted administrative access. At this point, a back door is created, and if the user does have administrative access, he or she can add that back door in the Windows Management Instrumentation (WMI) database, thereby establishing persistence (which is the ability to stay on the system after a reboot).
Finally, the back door sends requests to domains in the script, receives TXT records from those domains containing PowerShell commands which are executed, but never written locally. Because DNS is almost never blocked, hackers can operate in a virtually undetectable manner. From here, they can sneak keyloggers, spyware and other forms of malware onto the system, and even access sensitive information stored on the network.
Living in a RAT-Infested World
Hackers have long-since realized that advanced persistent threats (APTs) such as this new RAT are the most effective way to steal large amounts of data. Perhaps the most notable example in recent years is the Office of Personnel Management (OPM) breach that resulted in the theft of about 21.5 million records. Researchers believe that Sakula, a RAT that maintains persistence through a registry Run key, was involved.
Now, and in the coming years, proper computer sanitation will be integral to exterminating RATs before they can cause harm to an organization. It may not be possible to preempt infection, but if businesses are able to reconfigure systems quickly, efficiently and frequently, RAT infestations are one less thing they will need to worry about.