A remote access trojan is one of the worst cybersecurity or Malware threats: stealthy, easily-copied and highly customizable, and the only defense against this has largely been the rise in powerful antivirus software. Now, however, clever cybercriminals have created an attack vector that bypasses traditional antivirus protection.
Malware: The Hostile Meme
Anti-theist philosopher Richard Dawkins, in his book The Selfish Gene, noted that certain ideas and concepts thrive within a society, while others die off. This form of cultural Darwinism was dubbed a ‘meme’. Anything that gets passed from brain to brain, like an accent, or a word, or a tune. It’s anything that you can say spreads through the population in a cultural way.
Malware sits at the divide between software and meme. Hostile and intrusive, it is built with the purpose to gain access to unauthorized systems by any means necessary. As the very core of malware is its virility; the form in which it spreads is of vital importance. This was evident even in the very first piece of ‘wild’ malware in 1982. Elk Cloner infected Apple II systems, built by 15-year-old schoolkid Rich Skrenta. As the floppy disk’s read/write head passed over the disk, Elk Cloner would pop up a message stating that the device was infected. It ‘spread’ by Erik copying it to a game floppy disk and passing it out to friends.
Nowadays, the sociotechnical landscape has changed. While Rich’s school friends had no antivirus and no idea, malware now presides on executables; stowed onto phishing emails and trojans. The arms race between viruses and antivirus software remains tight, however – and antiviruses have grown wise to the malicious application.
How Antiviruses Work
Antivirus software spends most of its time sitting on a device, quietly scanning every file you open. Once clicked on – before the file opens – the antivirus algorithm kicks in and starts searching for a file signature. This is then compared against the signatures of known viruses.
This method works very well against established pieces of malware; another layer of defense helps keep new malware out, too. Heuristic detection malware looks not at file signatures but at estimated behaviors of a file. If anything appears suspicious or untoward, the antivirus will begin the quarantining process.
The goal is to shut down any process that the file is executing – hopefully stopping the malware in its tracks.
The Trusty Trojan
Some pieces of malware can replicate themselves, much like bacteria. However, trojans are pieces of malware that depend on psychological tricks and repeated downloads to replicate. Traditional trojans act like legitimate files, attempting to deceive you into downloading and executing the file yourself. Once installed, a Trojan can perform the action it was designed for.
For example, you may one day receive an email from a trusted friend. ‘Check out this attachment!’ It might say. But you’ve been fooled. The email is from a cybercriminal, and the file you clicked on, downloaded, and opened has been noticed – and stopped – only by the antivirus.
Remote Access Trojans (RATs) are files that intend to give the attacker access and control. Attackers are then empowered to do almost anything on the infected machine. A RAT provides access to confidential info including usernames, passwords, social security numbers, and credit card accounts; it can hijack the system webcam, and download further ransomware.
Trojans are almost always combined with other malware and attack vectors, playing a heavy role in a full scale chain of attack.
How Malware Becomes Invisible
When a file fails to run, or the operating system fails to load a file, Windows logs that as an event. The event viewer stores the activity happening on your device as you browse.
In an unprecedented recent case, unknown attackers downloaded a RAT via the Windows event logs. First, they drove targets to a website loaded with a booby-trapped download. This compressed file had two stowaway apps concealed within: the pen testing tools Cobalt Strike and SilentBreak. Both of these applications are used in legitimate penetration testing, deploying beacons to detect vulnerabilities in a network.
A Dynamic Link Library file (DLL) is a type of file that contains instructions for other programs. Unlike executable programs, DLL files can’t be run directly; they must be called upon by other code that is already running.
Cobalt Strike and SilentBreak, once they’ve established a presence, search through the multitude of DLLs included in the malware package. Whereas oldschool attack vectors demand a file to be downloaded, Cobalt and Silent simply decrypt the kernel32.dll and ntdll.dll libraries that sit on the attacker’s server. These DLLs in turn place a powershell script smack in the middle of the Windows events log.
Windows events are flagged via a legitimate file: when a program fails, the Windows operating system leaves a note of that failure with WerFault.exe. Using this false event log, malicious code is injected via a false (but legitimate-seeming) ReportEvent() function.
Finally, the attacker begins writing new shellcode, directly into the Reportevent() parameter. Each chunk is only 8Kb in size – it takes one last piece of code to re-assemble these into one full script, finally lending the attacker full, unrestrained access to the device and its network.
Thanks to the attacker’s reliance on DLLs – rather than basic .exe files – this goes completely unnoticed by antivirus solutions. It’s also far harder to mop up after it’s been found, thanks to the incredibly stealthy spread of shellcode across a device. This left the researcher’s client completely open to further attacks, such as ransomware.
Protecting against this new form of RAT requires far greater security than a simple antimalware solution. Fileless RATs require a similarly fileless solution: one major defense is the ability for a company to cut off communication with the attacker’s server.
Web Application Firewalls (WAF) sit at the boundary of an app, monitoring all HTTPs communication between the app and the outside world. WIth a strict whitelist protocol in place – alongside zero-trust architecture – a fileless RAT can be nullified, as you halt communication with the attacker’s C&C server.