Sophisticated International RAT Campaign Discovered

Photograph of Two Rats

New findings have emerged confirming a global cybercrime campaign that involves evasive malicious RAT trojans. Cisco Talos Intelligence has released a new threat intelligence report about the campaign on January 12th, 2022 entitled “Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure.”

The RATs, in this case, have been confirmed to be highly sophisticated and the global campaign has been designed to be as evasive as possible so as not to be detected.

What is a RAT?

A RAT or Remote Access Trojan (also known as Remote Administration Tool) is a variant of a malicious program popular with cybercriminals, which comes in several forms. The level of obfuscation (ability to evade) also distinguishes the sophistication of RAT malware. Perhaps the most sophisticated of all are fileless RATs like the DarkWatchman.

The primary function of a RAT is to steal information from a targetted user or group of users. For a RAT to do its job, first of all, the process needs to involve a downloader for the malicious software to invade and subsequently infect the target system.

Secondly, for a RAT to work it needs a backdoor via which it can be controlled remotely by a cybercriminal administrator. Once the system has been compromised by the RAT and a backdoor has been established, the malware will begin burrowing and harvesting what it can find.

RATs are usually downloaded invisibly in the background when a user clicks on a file or link in a phishing email. Other times RATs can be disguised as legitimate software.

Furthermore, a RAT infection does not have to stop at compromising a single system, and can also lead to more wide-ranging consequences known as botnets.

Details From The Report

Details from the new Cisco Talos Intelligence report have unearthed several details about the specific types of RAT malware involved in the campaign, the timeline of the campaign, as well as the attack vectors at play. According to the report, the malicious campaign has been active since October 2021, “delivering variants of Nanocore, Netwire and AsyncRATs targeting user’s information.”

Commodity RATs

The report also revealed that commodity RATs NetwireRAT, Nanocore, and AsyncRAT are being used by the threat actor. These same RATs have been widely used in other campaigns. Commodity RATs are “packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information” according to Cisco Talos.

Distribution of Attacks

Apparently, the victims of this campaign are distributed across Italy, Singapore, Spain, South Korea, and the U.S. Furthermore, it has been confirmed that an ‘actor’ “used complex obfuscation techniques in the downloader script.” This means that the RAT software was designed to be highly evasive at every stage of the attack.

Hosting on AWS And Microsoft Azure Servers

As far as the attack vector methods are concerned in the attack process, it appears that cloud services like Amazon Web Services and Microsoft Azure were leveraged to achieve malicious objectives.

Threat Actors Increasingly Leveraging Cloud Technologies

Cloud technologies are an evolution of data storage that offer great benefits such as instant collaboration, off-site data storage, and most importantly speed. However, cloud technology can also be exploited for malicious purposes.

As such, cybercriminals are benefitting from the cloud by “increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure.”

Attack Vector is a ZIP File in a Phishing Email

The report confirms that the initial attack vector in this RAT campaign is a ZIP file attached to a phishing (scam) email disguised as an email about an invoice document.  When unpacked, these ZIP files “contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script.” When this script is executed on the target system, it will connect to a download server to acquire the next stage “which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.”

A Very Capable Malware Mix

The AsyncRAT, NetwireRAT, and Nanocore trio is a formidable mix of malicious software. All three can steal information and remotely execute commands from a target system. Worse still, the Nanocore RAT can capture video and audio from a computer system via a SurveillanceEX plugin embedded in the RAT. These attributes allow for the silent theft of credentials, confidential information, and even system sabotage via ransomware attacks. The attacks also contain PowerShell RAT ‘dropper’ scripts that have been identified by other security research companies in earlier attacks (a dropper named Water Basilisk, in this case.)

Some Details Have Emerged About The Threat Actor

According to the report, even though the evasive obfuscation techniques utilized by the threat actor have managed to hide enough of the trail, it has been ascertained that “the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service.”

By using DuckDNS servers the threat actor can also quickly change IP addresses and add new subdomains. Some of the subdomains confirmed to be used in this case are e.g. asyncmoney, tdeasy, dingspread, justinalwhitedd554, and gg1592661.

Cisco Talos has also unearthed that the threat actor is operating via cloud regions designated as WestCentralUS, NorthEurope, and EastUS. The campaign is still ongoing, as far as the reports indicate and the exact threat actor behind it is yet unknown.

Cisco Talos Security Recommendations

Cisco Talos has concluded the report with security recommendations that organizations should take into account. Namely, organizations should be inspecting all connections particularly to cloud computing services for malicious traffic.

Furthermore, organizations should “deploy comprehensive multi-layered security controls” as well as “implement robust rules around the script execution policies on their endpoints.”

Most importantly, Cisco Talos notes that email security is of critical importance, as that is where the infection chain begins.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.