Over the last few months we have seen several cases of Remote Access Trojan (RAT) infections, and here we would like to cover at least two cases that stood out for us. The first case is about the Adwind RAT that is used to steal bank credentials. The second case is about the so-called Qrypter RAT that is steadily gaining prominence among cyber criminals. To give you a better understanding of the issue, we will also tell you more about RAT as an infection. While it is more likely that such infections will affect corporate computer systems rather than individual desktops, anyone should be on the lookout for malicious Trojans.
What is a Remote Access Trojan?
Perhaps you have heard about Trojan infections before. If you are also familiar with the ancient Greek legend, you probably have a vague understanding that the infection manages to slither into the target system pretending to be something it is not. For instance, it might look like a legitimate program, but it may carry a malicious payload. Unless users are well aware of all the potential Trojan distribution vectors, it is quite easy to fall into a trap that eventually results in a malicious infection.
But what makes a Remote Access Trojan or a RAT different from the regular Trojans? According to the researchers at TechTarget, this malicious infection comes with a backdoor. A backdoor is basically a type of Trojan that allows a hacker to control the infected system. This level of control depends on what the malicious program has been programmed to do.
There are many ways for RATs to reach target systems. Sometimes it might be some illegal program that users download via peer-2-peer network. Sometimes the installer file may come via phishing emails. Whichever it might be, the bottom line is that it happens when users expect it the least.
The worst part about a RAT is that it enables the cyber criminals to gain administrative control over the infected system. So if you have been infected with a particularly powerful Trojan, it could perform a lot of tasks. For instance, it could log all the information you enter into your system via keylogging. It could also steal sensitive information that contains such data like your credit card numbers. It might turn on your webcam for spying and taking videos (it would not be that surprising to find your personal videos circulating on the Dark Web!), spread viruses, and basically, do anything it pleases with your data. Thus, we can see that a RAT is no joke, and it should be treated seriously.
As mentioned, the first case of such infections we would like to mention is the case where cyber criminals would deploy the Adwind RAT infection via spam emails. The spam emails looked like urgent Swift messages. These supposed Swift messages impersonated the Swift network, which is used as the global messaging system by the banking industry. So when there is a notification from a messaging system you usually trust, there is a bigger chance that you will open the message and do as you are told.
According to various reports, the fake Swift messages would urge users to “wire bank transfer to your designated bank account.” What’s more, even if you are used to spam emails, and you are sure that you can recognize a phishing attack, this scam might prove to be quite a hard nut to crack because it apparently says that you need to check out the attached document and see whether all the details are correct. This should actually ring a few alarm bells almost immediately, but seeing how there are news reports flooding about systems getting infected with Adwind RAT, the Trojan clearly manages to trick multiple users out there.
As far as the attack itself is concerned, it first broke out on February 9th, 2017, and researchers have indicated that it was launched from several different IPs located in Cyprus, Turkey, and the Netherlands. The presence of such attacks also suggests that hackers are going to continue using finance-related topics to trick users into installing malicious programs.
Another type of RAT infection we would like to mention today is the so-called Qrypter. It was actually launched more than two years ago, but it is slowly becoming more popular than the previously mention Adwind because it proves to be an efficient MaaS platform. MaaS stands for Malware-as-a-Service. It means that the creators of the infection sell the program to people who want to engage in illegal activities rather than infecting target systems themselves. For instance, Adwind is also a MaaS platform, and it could be rented for around $80 per month via the Dark Web.
In fact, sometimes people mix Qrypter up with Adwind because their codes are allegedly similar. Not to mention that their price is also the same. When criminals rent this program, they can use it to inject the malware into the target system through phishing emails. And when the malicious infection enters the target computer, they can collect important details about the infected system and then wire the collected data back to its owner via a remote server. After all, this is usually how backdoor infections work.
According to security news outlets, Qrypter is being used to target financial corporations and organizations all over the world. Up until the end of March 2017, this infection exploited 243 organizations, and it is only a matter of time before this number will rise.
Prevention & Protection
With the imminent threats, it is important to educate your employees and yourself about possible prevention measures against malware infections. Needless to say, the best way to avoid them is to refrain from downloading and opening attachments from phishing emails. Also, before opening an attachment, it would be a good idea to scan it with a security tool.
Computer security experts will always tell you to invest in a licensed antispyware tool, but the truth is that your own vigilance and safe web browsing habits might be a lot more important because you need to prevent a RAT from ENTERING the system in the first place. Finally, if you have any question about computer security or this type of infection, you can always leave us a comment below. We’ll be glad to tell you more!
- Sara Barker. Qrypter Remote Access Trojan targeting NZ & Australia web domains. Security Brief
- Jay Jay. New cross-platform backdoor ‘Qrypter’ RAT gaining prominence among hackers. SC Media
- Hyacinth Mascarenhas. Hackers using fake Swift emails to deploy Adwind RAT, steal bank credentials in new phishing scam. International Business Times.
- SearchSecurity. RAT (remote access Trojan). TechTarget.