Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Penetration Testing Explained, Part II: RATs!

3 min read
Published September 30, 2015
Last updated June 30, 2022

Remote Access Trojans or RATs are vintage backdoor malware. Even though they’ve been superseded by more advanced command-and-control (C2) techniques, this old, reliable malware is still in use. If you want to get a handle on what hackers are doing after they’ve gained access, you’ll need to understand more about RATs.

A RAT’s Tale

RATs came on the scene in the late 1990s or early aughts, and may have been first used as administrative tools—hence its other name, Remote Administrative Tool. But it quickly evolved backdoor capabilities and became stealthier and deadlier.

BO2K, SubSeven, and Netbus are just a some early examples of RATs  — see this Microsoft TechNet article for a complete rundown. RATs are well understood and documented, and anti-virus software can spot the RAT’s signature.

So why look at them?

RATs let you upload or download files, run commands, capture keystrokes, take screen images, and examine file hierarchies. RATs may be the first foothold hackers have on a target system before they upload other malware and APTs.

It’s also a good introduction for those who want to understand what hackers are up to.

Sure there are more formal ways to perform post-exploitation through Metasploit and its Meterpreter, but all the basic techniques can be found in RATs.

The RAT Laboratory

Real pen testers set up their own separate laboratories to isolate toxic malware. But you can do some of this on the cheap with virtual machines.

And that’s the approach I took with MEPTL – the Metadata Era Pen Testing Lab – that’s now taking up space on my MacBook.

I used Oracle’s VirtualBox as the virtual container environment for the client side. To simulate a remote target, I took advantage of an old account I had with Amazon Web Services to set up a virtual Windows Server 2008.

The hard part was finding the malware while wandering around sinister-looking sites, and getting past various anti-malware filters in browsers and on laptops. Note to Varonis IT Security: our anti-virus software is up to date!

If you’re so inclined, you can browse for RATware.

The RAT Maze

In the wild, the server side of the RAT is often embedded in wrappers so they look like ordinary files, and then sent as a phish mail attachment. This technique is still effective. Another possibility is the hacker has guessed or brute forced a password and then manually installs the RAT.

In either case, once the RAT server is running, the attacker doesn’t have to be formally logged in.rat-vm

For my purposes, I infected an Amazon virtual machine with the server-side of a Netbus RAT by simply uploading the executable and running it. The client side was isolated in my VirtualBox.

What does a RAT client dashboard look like?

You’re given a few key RAT functions  — see the graphic — to help you start exploring the target system. The Netbus file manager lets you view the remote directory hierarchy. There’s also a screen shot function for peeking over the victim’s shoulder.

For kicks, I turned on the key logger.

You begin to realize the possibilities. If the RAT server-side had found a home on say, a CEO’s laptop, the attacker would know what’s being entered into documents, Google, or internal login screens.

Key logging is quite powerful. In fact, according to the latest Verizon DBIR, it still makes the top of their attack technique list.

And Please Note

You also see some of the limitations of old-style RATs, such as Netbus. To communicate with the server part I needed to know the IP address. Of course, I had that information because I launched an Amazon VM server.

But in the real world, the attacker wouldn’t know where the server-side ended up if it were attached to a phish mail.

To handle this, RAT developers then added the ability for the server to open IRC chat sessions or even send an email with the IP address back to the attacker. That’s one solution — there are others that we’ll look into.

So you’re thinking that a good perimeter defense would be helpful in blocking RATs?

That’s true: if I had not disabled the firewall rules on the Amazon server, I wouldn’t have been able to communicate with the server-side RAT app.

For argument’s sake, let’s say my RAT had landed on some employee’s laptop that lives in a poorly protected network —maybe a third-party contractor to a large Fortune 500.

What are the next steps an attacker would take?

In my next post, I’ll look at a few  more tools of the trade, such as nmap, ncat, nessus, which help hackers discover and explore the new environment they’ve entered.

For IT security, the key problem is that these post-exploitation tools are not really malware since they can also be used by admins and so would not necessarily trigger virus scanning alarms.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
DSPM Deep Dive: Debunking Data Security Myths
DSPM is the leading acronym in cybersecurity. However, the recent buzz has cluttered the meaning of data security posture management. Let's demystify it.
Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard
Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
The Benefits of Threat and Data Breach Reports
Threat and data breach reports can help organizations manage security risks and develop mitigation strategies. Learn our three pillars of effective data protection and the benefits from these reports.
Three Ways Varonis Helps You Fight Insider Threats
Insider threats are difficult for organizations to combat. Varonis’ modern cybersecurity answer uses the data security triad of sensitivity, access, and activity to combat threats.