By Arie Fred, VP of Product, SecBI

The Remote Access Trojan (RAT) can almost be considered the “legacy” tool of hackers.  The RAT is a malware program that uses a back door for administrative control over the targeted computer. As such, RATs are used for “low and slow”, prolonged, stealthy operations such as APTs. Using this malicious technique, the attackers take their time to explore the victim’s networks and assets, and then move around as quietly as possible to achieve their objectives without detection. Some APTs have been in operation for years and RATs play a crucial part in enabling attackers to access targets while avoiding detection.

While RATs have been around for quite some time now, they haven’t risen in their “popularity” among malwares, as they were considered complicated to develop and operate, demanding a high hacker skill set. But this trend has seemed to change in the past year. During the last 18 months or so, RATs have become more readily available and accessible, leading to an increase in the number of RAT victims, who are unequipped to detect and mitigate this malware threat. 

RATs are now cheap and commercially available

Two major factors contributing to the widespread use of RATs are their availability and affordability. For instance, a tool called Imminent Monitor” Remote Access Trojan (IM-RAT). IM-RAT provided cybercriminals free access to the victims’ machines. It was clever enough to bypass anti-virus and malware detection software, carry out commands such as recording keystrokes, steal data and passwords, and watch the victims via their webcams. All that could be done without the victim’s knowledge. 

All this feature-reach, field-proven, easy to use package was sold as cheap as $25 a piece. Luckily, the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust were able to take down the RAT infrastructure and the arrest a number of the most prolific users of this Remote Access Trojan (RAT). The developer and one employee of IM-RAT were arrested in Australia and Belgium in June 2019, and the tool, which was used across 124 countries and sold to more than 14,500 buyers, is no longer available. 

In Canada, a remote access tool for admin use was found to be, in fact, a RAT. Its’ developer and business development manager, who were working from Toronto under the legal entity “Orcus Technologies” were arrested. Law enforcement agencies stated that the duo sold and aided malicious actors to install the Orcus RAT on other people’s computers, and also ran a Dynamic Domain Name Server (DDNS) service that helped the malware to communicate with infected hosts without revealing the hacker’s real IP address.

Innovative infection methods

Once cybercriminals get their hands on the RAT, they employ very creative ways to embed the malware on victims’ systems. Although, the top infection method is still via a weaponized document received by email, other methods are unfortunately gaining in popularity, such as:

  • Masquerading as the Tetris game, a hacking group used an open-source version of the 90s game Tetris to hide PyXie RAT and infect organizations. 
  • Via Facebook, a RAT named FlawedAmmyy infected military targets. Researchers found that a fake Facebook page impersonating American-Libyan military officer named Khalifa Haftar focused on content related to politics and army, also attached URLs to download files stating they are leaks from Libya’s intelligence units. That is not all, some URLs were presented as legit sites for citizens to sign up for the army.
  • The use of a fake WebEx meeting invitation. 

RATs are utilized for a multitude of nefarious uses

Once installed, hackers have complete remote control over the victim’s system, which they can abuse in many ways. Some use it to collect intelligence on military and diplomatic targets, others to obtain the personal details and payment details of hotel guests, and other hackers take control to fulfil their sexual desires via voyeurism, such as the UK man recently jailed for using RAT to spy on its victims using the webcam.


So RATs are capable, available and overly affordable to easily hack into networks. This creates a challenge for organizations who need to secure themselves against this threat. Sadly, most existing prevention mechanisms won’t be able to identify the RAT and prevent infection because RAT knows how to stay under their radar. Similarly, most endpoint security mechanisms and network/ perimeter solution won’t be much help in identifying RATS. 

SecBI’s machine-learning technology based on its cluster-analysis algorithm has and will continue to identify RAT activity patterns and alert analysts regarding its “low and slow” operation methods. Would you agree that it’s time to update your cyber defense to quickly detect and remediate “low and slow” malware?