RATS or Remote Access Trojans have gone a long way from the prank tool 90s kids used to spook their friends.
From simply opening CD trays and controlling computers remotely to scare their victims, it has evolved into some of the most prevalent malware in the wild.
Here’s everything you need to know about this Trojan and what you can do about a RAT infestation.
What Is a RAT?
Remote Access Trojans https://t.co/KShGt5GBhU pic.twitter.com/zdy6yIVELE
— Eric Vanderburg (@evanderburg) October 30, 2019
A RAT is a Trojan, a type of malware disguised as something else that victims need—like a legitimate file, program, or app. It tricks victims into downloading and then activating it so it can spread into the system.
A RAT gives cybercriminals complete, unlimited, and remote access to a victim’s computer. Once activated, it can hide within the system for many months and remain undetected. It connects the victim’s device to a command and control (C&C) server controlled by hackers.
The C&C acts as a remote host that sends commands to the Trojan in the victim’s computer. It can record all your on-screen activities, access and steal PII (personally identifiable information) like social security numbers, pilfer financial information like credit card details, take screenshots of the screen, hijack the webcam or microphone, and record or harvest keystrokes.
Besides giving a hacker administrative control over a victim’s device, it can use it to spread malware to other computers. This nasty Trojan can do all these without the victim knowing it.
From Pranks for Fun to Cybercrime for Money
The oldest remote access trojans that I found during my research are from 1998: netbus, y3k, back orifice. #rat #research #AStudyOfRATs pic.twitter.com/prn97oOVDd
— _Veronica_ (@verovaleros) September 3, 2017
RATs have been around for decades. The first legitimate remote access tools were created in the late 80s for remote machine management. Soon after, mischievous albeit still innocent tech-savvy kids used it to prank friends. By the mid-to-late 90s, malicious actors caught wind of the technology and started using it to cause damage.
In 1998, a Swedish computer programmer developed a remote access tool called NetBus. He claimed that this was primarily created just to pull pranks.
It became notorious a year after its development when attackers downloaded NetBus and used it to plant 12,000 pornographic images, including more than 3,000 child pornographic materials, onto a law professor’s computer.
Systems administrators soon discovered the material, so the professor lost his job and had to leave the country. It was only in 2004 when he was exonerated after he proved that hackers downloaded the materials on his computer using NetBus.
The NetBus controversy paved the way for the development of more sinister remote access Trojans, like the notorious SubSeven and Back Orifice. By the 2000s, the RAT landscape exploded with strains that picked up more and more features along the way.
A few RAT developers in the early 2000s figured out a way to bypass firewalls and AVs, steal information, and add more attacks in their arsenal. Soon after, RATs were used by state-sponsored cybercriminals to attack government organizations.
These days, RATs come in all sorts of strains and versions. Some, like the new Golang-based ElectroRAT, can target Windows, macOS, and Linux. It’s designed to target and drain cryptocurrency wallets.
Some malware developers are even reportedly trying to bundle RATs with ransomware that can be launched after gaining administrative access to the computer. They can cause a lot of damage and what’s even more alarming is that they are readily available and are sold cheap. According to research, RATS are sold for as little as $9.47 on average in the dark web market.
Remote Access Trojans tools are on the rise allowing authors to modify and inject code into existing apps #GetSmarter pic.twitter.com/pEdGcPreys
— Webroot (@Webroot) June 25, 2015
How Do People Get Infected With a RAT?
RATs piggybank on legitimate-looking email attachments, download packages, plugins, or torrent files. They use social engineering to lure victims into clicking a link or downloading a file that initiates infection.
RATs also often disguise themselves as legitimate, often popular, apps or programs posted on forums or third-party sites.
If sent as an attachment to a phishing email, they can mimic purchase orders and invoices or any document that would require verification. Once the victim clicks the MS-word-looking file, the RAT makes its way into the victim’s device and buries itself into the system often without a trace.
Be wary of sites that claim to offer popular apps and programs at cheaper prices, or for free. Make sure you have an updated AV in your computer, install OS patches right away, and avoid downloading file attachments especially from people you don’t trust. If a friend sends you an attachment, call to verify the contents of the file before opening it.
How Do You Know If You Have a RAT?
4 tips you can follow to protect yourself against Remote Access Trojans & other #malware https://t.co/lUepPQxVPC #cybersecmonth #CyberSafety pic.twitter.com/Rtz2HcoxtO
— Europol (@Europol) October 10, 2016
Europol has a few guidelines to help people spot the presence of a RAT in their computer. Watch out for unknown processes that are running in the system (which are visible in Task Manager, Process tab), also watch out for unknown programs installed in the device. To check for the latter, go to your device’s Settings (through a gear icon), and then check under Apps or Apps & Notifications.
You can also check to see changes to your files like if some may have been deleted or modified. Another telltale sign you have a RAT in your system is if you’re having an unusually slow internet connection.
Although some RAT strains are designed to be extremely difficult to detect, so if you don’t see any of these signs but still want to check, you can run an AV scan.
What to Do if You’ve Been Infected
If your computer’s been infected with a RAT you’d have to assume that your information has been compromised.
You would need to update the usernames and passwords of your accounts using a clean computer or uninfected device. Call your bank to notify them about the breach and monitor your bank statements for suspicious transactions.
You can also check your credit reports in case an account has already been made in your name.
To remove it, you can follow this comprehensive Trojan removal guide. Alternatively, you can go through our Complete Malware Removal Guide.
RATs: Stealthy and Dangerous
Remote Access Trojans are stealthy and dangerous. They can cause a lot of damage to individuals and organizations.
While it may be difficult to detect, since most leave no trace, there are many virus scan and removal sites that can help you deal with the problem.