A more sophisticated technique for deploying remote access trojans (RATs) has been observed, used by a handful of countries across Asia.
According to SentinelOne analysis, nation-state attackers have been successfully deploying RATs for years to remotely control user systems—giving them full access to the victim’s files or resources such as cameras, recording key strokes or downloading further malware. Traditionally, RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload—which are easier to detect.
The new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.
“In doing so, the attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors,” said SentinelOne. “Also, the samples analyzed have the ability to detect the presence of a virtual machine to ensure it’s not being analyzed in a network sandbox.”
The technique can be used to deliver any known RAT to a victim’s system.
Earlier in the year, a multi-pronged attack campaign involving various government websites and non-governmental organizations in Asia was uncovered, using a RAT named ‘Trochilus.’ That campaign was driven by East Asian threat actors.
In 2015, the PlugX and EvilGrab malware was targeting government websites in Asia, using watering-hole methods involving websites operated by the government of Myanmar and associated with recent elections. Arbor Networks also uncovered a seven-piece malware and RAT cluster, dubbed the “Seven Pointed Dagger,” which offers Asian threat actors a variety of capabilities, including espionage and the means to move laterally within target networks in order to achieve more strategic access.
Photo © Heiko Kiera