There’s a new remote-access Trojan (RAT) sniffing around corporate systems. According to Threatpost, Israeli security firm enSilo came across the RAT inside a customer’s network, and while researchers aren’t sure how the Trojan nibbled its way through, they are certain it poses significant risk.
So far the new threat, named Moker, hasn’t been spotted anywhere else. But a combination of a sophisticated installation process and numerous attempts to deceive researchers with fake code make it a RAT worth studying. Here’s what the IT community knows so far.
RATs are a great end game for cybercriminals since they allow total control over a host system. Often, RATs aren’t the first thing on victimized machines. Instead, malware creators use phishing techniques and dubious email links as a jumping-off platform, convincing users to download small malware attachments that in turn contact host servers and let the RATs run free. Moker is different, since enSilo has never seen anything similar before and isn’t sure how the program made it onto corporate networks or where it’s sending exfiltrated data.
What do they know? Moker targets Windows machines and can bypass traditional protection methods such as antivirus solutions, sandboxing and virtual machines. Thanks to a clever exploit of the User Account Control (UAC) system, it can even override the need for admin permission to make system-level changes. The remote-access Trojan also takes step to elude capture: According to enSilo’s Senior Security Researcher Yotam Gottesman, the RAT’s detection avoidance measures “included encrypting itself and a two-step installation.”
What’s more, Moker evades analysis even after being caught by adding extraneous code and superfluous instructions designed to lead researchers in the wrong direction. Once active in a network, this RAT can sniff out data, take screenshots, record Web traffic, log keystrokes and even add new admin accounts. Put simply: It’s filthy, disease-ridden and could cause serious harm.
Bad Actors, Worse Networks?
There’s some hope on the horizon. enSilo has never seen this Trojan out in the wild and, with any luck, will reverse engineer the code enough that new versions of the same basic package won’t present so great a threat. And cybercriminals themselves may help the cause of stopping RATs in their tracks: According to eWEEK, they often “misconfigure their management nodes for commodity remote-access Trojans” by not changing default ports on the software.
More advanced attackers change the port to prevent detection, but as RATs become more common and available for free or a nominal fee, the number of home-brew attackers is on the rise. With ports left open, it’s easy for IT security pros to scan possible attack vectors, identify unique text strings and discover malicious IP addresses.
On the flip side is the Internet of Things. Silicon Republic noted that as the number of network-connected devices ramps up, so, too, does cybercriminals’ ability to cause total device failure. Attackers and security researchers have already caused Internet-enabled cars to stop mid-drive and medical drug pumps to change dosage without the approval of medical personnel.
Security firms are now starting to track massive RAT networks designed to compromise devices of all types and take complete control. With many of these devices already lacking basic security measures, something like Moker may not be necessary — the security maze is so simple that even the slowest, dumbest RATs have a chance to reach the virtual cheese.
The Moker RAT shouldn’t be surprising. As malware security advances, cybercriminals keep pace. For companies, there’s a simple takeaway: Total security is an illusion. No antivirus, sandbox or control mechanism is foolproof. They’re better used in unison, but active oversight — either in-house, from a third party or both — is necessary to catch these RATs before they memorize the maze.