Remote access trojans (RATs) are malware designed to allow an attacker to remotely control an infected computer. Once the RAT runs on a compromised system, the attacker can send commands to it and receive data back in response.
2022 Security ReportDemo Endpoint RAT Protection
How Does a Remote Access Trojan Work?
RATS can infect computers like any other type of malware. They might be attached to an email, be hosted on a malicious website, or exploit a vulnerability in an unpatched machine.
A RAT is designed to allow an attacker to remotely control a computer, similar to how the Remote Desktop Protocol (RDP) and TeamViewer can be used for remote access or system administration. The RAT will set up a command and control (C2) channel with the attacker’s server over which commands can be sent to the RAT and data can be sent back. RATs commonly have a set of built-in controls and have methods for hiding their C2 traffic from detection.
RATs may be bundled with additional functionality or designed modularly to provide other capabilities as needed. For example, an attacker may gain a foothold using a RAT and, after exploring the infected system using the RAT, may decide that they want to install a keylogger on the infected machine. The RAT may have this functionality built-in, may be designed to download and add a keylogger module as needed, or may download and launch an independent keylogger.
The Threat of the RAT
Different attacks require different levels of access to a target system, and the amount of access an attacker gains determines what they can accomplish during a cyberattack. For example, exploitation of an SQL injection vulnerability may only permit them to steal data from the vulnerable database. At the same time, a successful phishing attack may result in compromised credentials or the installation of malware on a compromised system.
A RAT is dangerous because it gives an attacker high access and control over a compromised system. Most RATs are designed to provide the same functionality as legitimate remote system administration tools, meaning attackers can see and do whatever they want on an infected machine. RATs also lack the same limitations as system administration tools. They may include the ability to exploit vulnerabilities and gain additional privileges on an infected system to help achieve the attacker’s goals.
Because an attacker has a high level of control over the infected computer and its activities, this allows them to achieve almost any objective on the infected system and to download and deploy additional functionality as needed to achieve their goals.
How to Protect Against a Remote Access Trojan
RATs are designed to hide on infected machines, providing remote access to an attacker. They often accomplish this by piggybacking malicious functionality on a seemingly legitimate application. For example, a pirated video game or business application may be available for free because it has been modified to include malware.
The stealthiness of RATs can make them difficult to protect against. Some methods to detect and minimize the impact of RATs include:
- Focus on Infection Vectors: RATs, like any malware, are only a danger if they are installed and executed on a target computer. Deploying anti-phishing and secure browsing solutions and regularly patching systems can reduce the risk of RATs by making it more difficult for them to infect a computer in the first place.
- Look for Abnormal Behavior: RATs are trojans that commonly masquerade as legitimate applications and may be composed of malicious functionality added to an actual application. Monitor applications for abnormal behavior, such as notepad.exe generating network traffic.
- Monitor Network Traffic: RATs enable an attacker to remotely control an infected computer over the network, sending it commands and receiving the results. Look for abnormal network traffic that may be associated with these communications.
- Implement Least Privilege: The principle of least privilege states that users, applications, systems, etc., should only have the access and permissions needed to do their job. Implementing and enforcing the least privilege can help to limit what an attacker can achieve using a RAT.
- Deploy Multi-Factor Authentication (MFA): RATs commonly attempt to steal usernames and passwords for online accounts. Deploying MFA can help to minimize the impact of credential compromises.