The 5 Most Effective Remote Access Trojans (RATs) for Post-Exploitation

Remote Access Trojans (RAT’s)

A common way to spread the attack on the target is through Remote Access Trojans (RATs). This type of malware is designed to allow a cybercriminal to remotely control a targeted machine. This provides a level of access similar to that of a remote system administrator. In fact, some RATs are derived from or based on legitimate remote administration toolkits.

The main evaluation criteria for a given RAT is how well it allows a hacker to achieve their objectives on the target computer. The different RATs are specialized for certain fines. Many of the best RATs are designed to provide a large amount of functionality on a variety of different systems.

The Best RAT’s

There are many different Remote Access Trojans, and some cybercriminals modify existing ones or develop their own to better suit their preferences. Different RATs are also designed for different purposes, especially with RATs specifically targeting each potential target. For example, desktop vs. mobile, Windows vs. Apple, etc.

Comparing different RATs all around is like comparing apples to oranges. However, some RATs stand out from the rest within their particular areas of expertise.

1. FlawedAmmyy – The Hacker Favorite

When trying to identify which malware variant is the most effective, it’s helpful to take a look at what hackers are actively using. When it comes to RATs, FlawedAmmyy stands out as a clear modern favorite among hackers.

FlawedAmmyy is a RAT that will be developed from the leaked source code of the remote administration software Ammyy Admin. It has been used in a variety of different malware campaigns. However, it made history in October 2018 when it appeared on CheckPoint’s list of the top 10 malware threats for that month.

This was the first time a RAT had appeared on the list; the result of a wave of malware campaigns that fueled the RAT. However, the RAT continues to show up in incidents, being used by a variety of different hacking groups.

Since it was derived from a legitimate remote administration tool, FlawedAmmyy has a variety of built-in features. It provides the user with the ability to access the file system, take screenshots, and take control of the microphone and camera.

2. Free and Open Source: Quasar

For those who do not trust a free and open source RAT, the most recommended is Quasar RAT (to avoid possible back doors). Quasar is written in C# and is available on GitHub. It was first released in July 2014 and has received active updates ever since.

Quasar comes as a lightweight remote administration tool that runs on Windows. However, it also has a variety of features designed for “employee monitoring” (i.e. it is also useful for cybercriminals).

This includes keylogging, the ability to open remote shells, and downloading running files. Its number of features and high stability (due to frequent updates) make it a popular choice.

3. Mobile Access (iOS): PhoneSpector

In the mobile market, RATs are advertised as solutions to help parents monitor their children’s cellular usage. Also, for employers to monitor how their employees use company-owned devices. There are iOS monitoring apps available that do not require jailbreaking of the target device.

One of them is PhoneSpector, which bills itself as designed to help parents and employers, but acts like malware. The software can be installed by having the device owner click a link and enter a product key on their device. It then monitors the device while remaining undetectable to the user.

PhoneSpector offers the cybercriminal the ability to monitor a wide variety of activities on the device. This includes monitoring phone calls and SMS messages (even those that have been deleted), as well as app activity. PhoneSpector even provides a customer service helpline in case a hacker finds himself in a bind.

4. Mobile Access (Android): AndroRAT

Android’s market share and security model mean more malware has been developed for it. The same applies to Android RATs. However, one of the most famous Android RATs out there is AndroRAT.

AndroRAT was originally developed as a research project demonstrating the ability to remotely control Android devices. However, it has since been adopted by criminals. The original source code of the RAT is available on GitHub and provides a wide variety of features.

Despite the age of the source code (last update in 2014), cybercriminals continue to use AndroRAT. It includes the ability to inject your malicious code into legitimate apps, making it easier for a hacker to launch a new productivity apps that carries the RAT. Its functionality includes all the normal features of a mobile RAT. For example, including camera/microphone access, call monitoring, and location tracking via GPS.

5. RAT for ICS: Havex

Malware targeting industrial control systems (ICS) is nothing new, with names like Stuxnet and Industroyer designed to cause physical damage. However, some ICS-focused malware is intended to control critical infrastructure.

Havex is a general purpose RAT, but it also has specific components for ICS systems. This includes port-focused scanning modules used by Siemens and Rockwell Automation. The malware was also used in ICS-focused water well attacks, showing that it is specifically designed to target this sector.

Conclusion: Maintain Access

Remote Access Trojans serve an important role for hackers. Most attack vectors, like phishing, are ideal for sending a payload to a machine. However, they do not provide the cybercriminal with the ability to explore and interact with the target environment.

RATs are designed to create a foothold on the target machine giving the cybercriminal the necessary level of control over the machine.

The five RATs described here stand out for their ability to operate in a certain environment. A specialized RAT for the target environment is more likely to be able to perform its intended task without detection. This makes it that much more valuable as a covert surveillance tool. (DW)