Key Points
- Remote access trojans enable malicious actors to secretly observe or access systems
- They are delivered as a payload in any of the ways malware is typically delivered
- If not detected, unauthorized persons may have access for months or even years
- Beyond malware scanning, various kinds of log correlation are the best detection
A remote access trojan is essentially a way for someone to backdoor your systems, networks, or resources via malware. Once in place, it provides entry to malicious actors until detected and removed.
Quick Read
Much of the discussion around malware over the last several years has concerned itself with ransomware, which has proven to be profitable for malicious actors, but remote access trojans (RATs) are damaging in a different, and in some cases, more insidious way.
This kind of malware, once delivered as a payload and operating, essentially creates a backdoor into your systems or network, enabling unauthorized persons to access and exfiltrate data, use resources, or harm targets in often difficult-to-detect ways. The usefulness of RATs for data exfiltration and systems control makes them a tool of choice in attacking government, critical infrastructure, and intellectual property targets.
One common infection vector, as is the case with most forms of malware today, are malicious links and payloads delivered to unsuspecting web users, who become infected and then open an avenue to dwell and lateral movement. These links and payloads may indeed be otherwise legitimate, as is the case with (for example) scriptable document types that have become infected and later shared within an office.
A similarly worrying infection vector for many professionals today is a form of third-party risk—RAT malware payloads delivered silently in apparently legitimate software updates that have been infected due to a breach in a provider's security.
Though malware scanners are in some cases effective in detecting RATs, in some cases—particularly those involving RATs delivered in system libraries via legitimate update pathways—they are more likely to be missed.
Aside from malware scanning, the best way to detect RATs is through sound log correlation and analytics leveraging other cybersecurity tools. For example, a Plurilock DEFEND user with a SIEM deployment that carefully correlates network connections to particular sets of hands on keyboards around the network can spot RATs by noting those connections that don't belong to internal services or to particular known users.
These "unknown" connections should be investigated quickly, as they could be evidence of RATs.
Further Reading
Thanks for reaching out! A Plurilock representative will contact you shortly.
What Plurilock Offers
More to Know
RATs are Trojan Horses
RATs belong to category of malware known as trojan horses because they arrive in disguise—either appearing to be a kind of software that they are not, or hidden within software believed to be desirable—yet once inside, embark on their actual mission, which is malicious.
RATs are Insidious Because They Hide
RATs can do their job only so long as they remain undetected—so they are engineered to be innocuous or evasive, in order to provide a stranger well out of sight illicit access to confidential information or critical resources across the global networks.
