Penetration Testing Explained, Part II: RATs!

Remote Access Trojans or RATs are vintage backdoor malware. Even though they’ve been superseded by more advanced command-and-control (C2) techniques, this old, reliable malware is still in use. If you want to get a handle on what hackers are doing after they’ve gained access, you’ll need to understand more about RATs.

A RAT’s Tale

RATs came on the scene in the late 1990s or early aughts, and may have been first used as administrative tools—hence its other name, Remote Administrative Tool. But it quickly evolved backdoor capabilities and became stealthier and deadlier.

BO2K, SubSeven, and Netbus are just a some early examples of RATs  — see this Microsoft TechNet article for a complete rundown. RATs are well understood and documented, and anti-virus software can spot the RAT’s signature.

So why look at them?

RATs let you upload or download files, run commands, capture keystrokes, take screen images, and examine file hierarchies. RATs may be the first foothold hackers have on a target system before they upload other malware and APTs.

It’s also a good introduction for those who want to understand what hackers are up to.

Sure there are more formal ways to perform post-exploitation through Metasploit and its Meterpreter, but all the basic techniques can be found in RATs.

The RAT Laboratory

Real pen testers set up their own separate laboratories to isolate toxic malware. But you can do some of this on the cheap with virtual machines.

And that’s the approach I took with MEPTL – the Metadata Era Pen Testing Lab – that’s now taking up space on my MacBook.

I used Oracle’s VirtualBox as the virtual container environment for the client side. To simulate a remote target, I took advantage of an old account I had with Amazon Web Services to set up a virtual Windows Server 2008.

The hard part was finding the malware while wandering around sinister-looking sites, and getting past various anti-malware filters in browsers and on laptops. Note to Varonis IT Security: our anti-virus software is up to date!

If you’re so inclined, you can browse sourceforge.net for RATware.

The RAT Maze

In the wild, the server side of the RAT is often embedded in wrappers so they look like ordinary files, and then sent as a phish mail attachment. This technique is still effective. Another possibility is the hacker has guessed or brute forced a password and then manually installs the RAT.

In either case, once the RAT server is running, the attacker doesn’t have to be formally logged in.

For my purposes, I infected an Amazon virtual machine with the server-side of a Netbus RAT by simply uploading the executable and running it. The client side was isolated in my VirtualBox.

What does a RAT client dashboard look like?

You’re given a few key RAT functions  — see the graphic — to help you start exploring the target system. The Netbus file manager lets you view the remote directory hierarchy. There’s also a screen shot function for peeking over the victim’s shoulder.

For kicks, I turned on the key logger.

You begin to realize the possibilities. If the RAT server-side had found a home on say, a CEO’s laptop, the attacker would know what’s being entered into documents, Google, or internal login screens.

Key logging is quite powerful. In fact, according to the latest Verizon DBIR, it still makes the top of their attack technique list.

And Please Note

You also see some of the limitations of old-style RATs, such as Netbus. To communicate with the server part I needed to know the IP address. Of course, I had that information because I launched an Amazon VM server.

But in the real world, the attacker wouldn’t know where the server-side ended up if it were attached to a phish mail.

To handle this, RAT developers then added the ability for the server to open IRC chat sessions or even send an email with the IP address back to the attacker. That’s one solution — there are others that we’ll look into.

So you’re thinking that a good perimeter defense would be helpful in blocking RATs?

That’s true: if I had not disabled the firewall rules on the Amazon server, I wouldn’t have been able to communicate with the server-side RAT app.

For argument’s sake, let’s say my RAT had landed on some employee’s laptop that lives in a poorly protected network —maybe a third-party contractor to a large Fortune 500.

What are the next steps an attacker would take?

In my next post, I’ll look at a few  more tools of the trade, such as nmap, ncat, nessus, which help hackers discover and explore the new environment they’ve entered.

For IT security, the key problem is that these post-exploitation tools are not really malware since they can also be used by admins and so would not necessarily trigger virus scanning alarms.