A remote access trojan is essentially a way for someone to backdoor your systems, networks, or resources via malware. Once in place, it provides entry to malicious actors until detected and removed.
Much of the discussion around malware over the last several years has concerned itself with ransomware, which has proven to be profitable for malicious actors, but remote access trojans (RATs) are damaging in a different, and in some cases, more insidious way.
This kind of malware, once delivered as a payload and operating, essentially creates a backdoor into your systems or network, enabling unauthorized persons to access and exfiltrate data, use resources, or harm targets in often difficult-to-detect ways. The usefulness of RATs for data exfiltration and systems control makes them a tool of choice in attacking government, critical infrastructure, and intellectual property targets.
One common infection vector, as is the case with most forms of malware today, are malicious links and payloads delivered to unsuspecting web users, who become infected and then open an avenue to dwell and lateral movement. These links and payloads may indeed be otherwise legitimate, as is the case with (for example) scriptable document types that have become infected and later shared within an office.
A similarly worrying infection vector for many professionals today is a form of third-party risk—RAT malware payloads delivered silently in apparently legitimate software updates that have been infected due to a breach in a provider's security.
Though malware scanners are in some cases effective in detecting RATs, in some cases—particularly those involving RATs delivered in system libraries via legitimate update pathways—they are more likely to be missed.
Aside from malware scanning, the best way to detect RATs is through sound log correlation and analytics leveraging other cybersecurity tools. For example, a Plurilock DEFEND user with a SIEM deployment that carefully correlates network connections to particular sets of hands on keyboards around the network can spot RATs by noting those connections that don't belong to internal services or to particular known users.
These "unknown" connections should be investigated quickly, as they could be evidence of RATs.
A Remote Access Trojan, or RAT, is a type of malware that, when installed on a computing system, enables a remote attacker to surreptitiously access the system, its resources, and its data. Remote access trojans are a subset of a larger category of malware known as "trojan horses," so named because they are installed either in secret or under false pretenses or misdirection for the purpose of enabling security protections to be defeated and the system to be taken over.