Expert Report: Dark Web RATs Can Compromise a Government Network

Everyone knows that powerful malicious software can be bought off dark web marketplaces. According to a new report by Cisco’s Talos cybersecurity research team, out-of-the-box Remote Access Trojans (RATs) have become very powerful over the past years – it turns out that they have been used to attack the Government of India from December 2020.

Dubbed “Armor Piercer”, the cyber campaign has been considered to be a formidable weapon that has exposed just how far cybercriminals are willing to go in meeting their purpose. The campaign compares significantly to the typical advanced persistent cybercriminal group called APT36, or Mythic Leopard, that is thought to have Pakistani roots.

Particularly, the Talos report intimated that a host of lures and tactics continue to be employed by cybercriminals, and that they all indicate the existence of a threat group that’s exploiting the opportunity in RATs.

Notably, the researchers indicated that recent cases involving cybercriminal attacks against the Indian government and military can be traced back to two commercial and commodity RAT entities known as NetwireRAT (a.k.a NetwireRC) and WarzoneRAT (a.k.a Ave Maria).

Essentially, the RATs used by the threat actors behind Armor Piercer have been found to boast extensive capabilities. NetworeRAT, for instance, is reportedly able to make away with user credentials from online browsers, execute arbitrary commands, harvest information about the host system, as well as modify, erase and create files.

Talos also reported that the RAT is capable enough to enumerate and terminate computer processes, log keys and so much more.

On the other hand, WarzoneRAT is normally embedded in dark web ads where users may find themselves clicking and deploying them unknowingly. It turns out that the malicious tools has the ability to work independent of .NET, provide 60 FPS remote control of infested user systems, and operate a hidden remote desktop.

Additionally, the RAT can conduct UAC bypass privilege escalation, webcam streaming from infected systems, password harvesting from browsers and communication apps, live and offline keyloggers, reverse proxy and remote user file management.

Talos went further to reveal the unique nature of RATs that seem to be a far more destructive tools when compared to regular crimeware and APT attacks. According to their findings, the RAT campaign appears to have employed simple and straightforward infection chains against the assumption that the threat actors may have crafted bespoke tools to be used in targeting the high-level victims such as the Indian government.

Basics of RATs

As far back as the 1990s, when the internet was still at its infancy, there was a common trend of tech-savvy teenagers to prank their friends by controlling their computers remotely. The kids would execute simple actions like ejecting the CD trays of their friends, switch mouse buttons, or alter desktop colors.

As harmless as these actions seemed to be, the unwitting user would be scared stiff because it felt like a ghost had taken control of their computer system.

Well, these were the formative years of RATs – they denote malicious software that provides unauthorized access to attackers that are looking to breach victim computers over the internet.

Point to note, RATs are normally installed without permission of the user and can continue to operate covertly to avoid detection by the host. They are different from other categories of software called Remote Access Tool that include computer programs designed to be used by administrators and tech people that help you fix your computer.

Why Do Cybercriminals Use Rats?

The moment a RAT gets installed into a target victim’s computer, it will not announce its presence. This accords attackers with the much-needed stealth and low-profile advantage because the RAT will never show up in the list of active programs or processes (See below).

Simple illustration about how RATs work (Source: The Security Buddy)

As such, it is very possible for a RAT to remain dormant for some time before swinging into action to cause its devastating effects. Cybercriminals with proper mastery of the host victim’s CPU resource management will empower them with the ability to ensure that the invading program does not raise an eyebrow through massive drops in system performance.

It is important to realize just how RATs play a pivotal role in cases involving advanced persistent threat (APT) attacks. The main goal of APT attacks is to maintain a low profile while gathering user data over a period of time – which is different from programs that damage systems and resources as soon as the unauthorized access is guaranteed.

For the above reason, RATs tend to be significantly destructive to its victims because they’ll never have an idea of their presence until it’s too late. The evidence surrounding the effects of RATs on target victims go beyond the premise itself.

As an example, if a cybercriminal can install their RAT on prominent public infrastructure such as telephone networks and oil pipelines, the devastating effects of their actions will ring across the country.

Take the case of a 2008 incident involving the Russian government where they coordinated a physical warfare strategy with offensive cyber warfare techniques in an effort to grab territory from its neighbor Georgia.

Then, the government employed massive DDoS attacks along with APTs that leveraged the opportunity in RATs. Consequently, they managed to harvest massive troves of information about their neighbor’s military tactics and eventually succeeded in sabotaging those efforts.

RATs Bought From the Dark Web

RATs that are normally sourced from the dark web tend to have extensive sets of features, with a host of these malicious tools enabling total cybercriminal control of victim computers and the ability to create a solid foundation from which to launch additional malware – the process of deploying additional malware is as simple as launching packages and modules from a regular GUI dashboard.

As reported by Talos researchers, the Armor Piercer campaign exploits Microsoft Office documents that have been coupled with malicious VBA macros and scripts. The typical infection occurs when the document download malware loaders from remote online platforms as soon as it is clicked on by an oblivious target.

Typically, the eventual goal of the installer is to plant a RAT on the target user’s system. This malicious software should be able to maintain threat actor access, allow further invasion into the host network or even harvest data.

Even further, the Talos report commented on the intriguing nature of of the cybercriminals behind creation of the world’s most dangerous RATs. Contrary to general belief that these tools may be operated by “lazy” and inexperienced threat actors, it turns out that they have become the staple of massive cyber operations. Talos noted, “Ready-made artefacts such as commodity or cracked RATs and mailers allow the attackers to rapidly operationalize new campaigns while focusing on their key tactic: tricking victims into infecting themselves.”

Otherwise, Talos researchers admitted to their lack of knowledge about whether RAT attacks are bound to go beyond Indian borders, or if similar methodologies are already being adapted in other parts of the globe.

It is worth noting that the threat of out-of-the-box malware is here to stay for a long time. This problem persists far beyond the constraints of organizational location – the dark web RAT operators will find you. Reason being that these tools are readily available and sold for cheap over dark web marketplaces.

Ideas for Your Cyber Safety

It goes without saying that the first thing you should never do is download attachments from unknown sources. Resist the temptation to download free games, software, movies and other files from strange sites that you do not trust.

In addition, make it a habit to install updates for your computer operating system, browsers and applications as a step towards achieving consistent protection for potential threats.

Having said that, many researchers believe that RAT operators will mostly target large institutions as part of their cost-benefit analysis before pulling off a cyberattack. Financial institutions, critical government infrastructure, and international firms are favourite fodder for these criminal operations.

Leave a Reply

Your email address will not be published. Required fields are marked *