The Backdoor RAT and loader evasion techniques

The Backdoor RAT and loader evasion techniques

The cybersecurity threat landscape has to deal with malware such as RAT (Remote Access Trojan). It is a backdoor threat apart from launching attacks from remote locations. The technique used is obfuscation, weaponization of benign files, encryption, and remote execution. 

One of the new backdoor RATS detected by Microsoft is the AsyncRAT. This malware has no aliases name and is similar to the RevengeRAT, also known as Revenge. 

The Revenge RAT is malware and is known to attack and infect devices through malicious ads on compromised websites and malicious attachments on email. The malware is sent as a Visual Basic script with a .rar or .zip, or .doc files through spear-phishing attacks. The attackers used emails or links with embedded images that redirect users to cloud hosting sites like OneDrive, iCloud Drive, and Google Drive, where malware resides. 

How is it tackled? 

The Microsoft Defender Antivirus software removes this threat automatically the moment it detects it. If a user has cloud-delivered cybersecurity solutions, one can rest assured that the device is well-equipped with the latest defense against unknown and new malware. If one does not have it, anti-malware software should be updated, and a full scan is run to rule out any threat. 

If a threat is detected, then one can take a few prevented measures to reduce the impact:

  • If a device is affected, then it should be immediately isolated as there are high chances that the malicious code has been launched into the system, and the device is under the control of the attacker.

  • The accounts used on the affected device are also compromised. One can either deactivate those accounts or reset the passwords.

  • Investigation of the endpoints infected needs to be thoroughly done to understand how the malware came in. One also needs to check the email and web traffic. 

  • Scrutinizing the timeline of the device will provide indications of lateral movement activities used on one of those compromised accounts. 

  • One needs to check for tools dropped inside the devices. These tools gain access to the credentials or enable lateral movement or any other type of attack.

Technical information and threat behavior

Multiple operators use the RevengeRat malware. The malware family shares behavior and codes similarity apart from TTP (tactics, techniques, procedures) with other RAT malware available publicly like AsyncRAT, LimeRAT, Netwire, QuasarRAT, Cybergate, ClipBanker, Vjw0rm, WSHRat, and many other unnamed ones. 

Process of attack 

The moment a user downloads a Visual basic script, the wscript.exe process gets launched, followed by PowerShell script launch, which connects to a site called Pastebin. A second stage script known as SysTray.PS is downloaded. This script is known to create an additional process that ensures that it perseveres, collects the targeted data, then connects back to the attacker command control server. The exfiltrated data from the victim device gets transferred to the remote attacker server. 

How to prevent malware infections on your device?

Tips for End users

  • One should keep the popular software such as web browsers, Microsoft Office, Adobe Flash Player, and Java up the software to date to patch up any vulnerabilities. The Windows latest versions allow automatic updates. 

  • Avoid suspicious emails and other messaging tools. Links and attachments contain malware, and if clicked, it breaks into the system. For example, Microsoft Office 365 has inbuilt link protection, spam filtering, and anti-malware.

Watch out for malicious websites and avoid visiting them as the sites can affect one device. One checks whether the website is harmful or not by checking the domain name which represents the company. If there are any misspellings, then one needs to be alert. Many malicious websites swap an original website name with a letter O with zero (0) or L with l with 1(one). 

  • If the genuine website name is Article.com and spelled as Artic1e.com, the site is suspect and needs to be avoided. 

  • Sites that pop up aggressively and constantly trick the users into clicking it and falling prey to the attack. 

  • Avoid using pirated content as it is not only illegal but also exposed to malware.

  • Downloading any music, app, or movies should be through official websites and app stores.

  • Avoid attaching any flash drives or removable drives to one’s device from unknown sources. Malware infiltrates the device from these drives. 

  • Use a non-administrator account. In the event of any malware launching into the system, it will run under the same privileges as the active user. If it is from an administrator, then the privileges are unlimited and give a free run to the malware. If it is otherwise, then the privileges are restricted, and the damage gets contained. 

Tips for Organization IT administrators 

  • It is significant to have the latest operating system and application software. One is advised not to use versions earlier than Windows 10. Turning on automatic updates helps to deploy the latest security patch the moment they are available.

Keeping  

  • anti-malware defenders ready for endpoints to detect any vulnerabilities  

  • Turning on the cloud-based anti-malware protection, which enables sample submission automatically to the defender anti-virus. These software use AI and ML to identify quickly and stop unknown and new threats.

  • Turn on attack surface reduction rules and block the threat by stopping the activities associated with it. These rules deployed in audit mode account for continuous scanning. 

  • Administrators should conduct training programs to educate the end-users about practicing good credential hygiene to prevent malware infections on their devices.

  • Setting up rules for least privilege and restricting local administrative privileges. It will prevent RATS from installing in the devices. 

  • Encourage web browsers that identify and block malicious websites, including scam sites, phishing sites, and sites that exploit and host malware.  

  • Software applications updates are delivered using SSL connections. 

Effective anti-virus software will raise an alert if it detects any threat on the device. The threat is removed immediately on detection. It will quarantine the malware.