Remote Admin Tools (RATs): The Swiss Army Knives of Cybercrime

The cybercrime threatscape is constantly changing as hackers adapt and repurpose the use of many different types of tools and attack vectors, and a recent report by Kaspersky Lab indicates that the use of remote administration tools (RATs) has increased during 2018.

RATs are commonly developed as legitimate software suites with bundled functionalities to support system administrators and other power users. However, these toolkits are increasingly more often used for malicious purposes by cybercrime campaigns and bad actors due to their efficiency and effectiveness in compromising targeted victims.

One of the more long-standing (and open-source) remote administration tools is DarkComet, which offers a number of very useful and effective features that facilitate the take over of systems and the ability to perform a number of specific post exploit functions.

RATs like DarkComet provide significant advantages for operators as they automate and streamline post-exploitation functions as well as entrenchment. They are also considerably cheaper to operate and maintain in comparison to developing and building new tools from scratch or botnets. These tasks require a considerable level of skill and maintenance costs, whereas RATs simply need to be delivered and they can quickly be used for monetizing crime activities such as Spam, Cryptomining, or DDoS.

Additionally, RATs can level up actors with lower skill sets and enable them to perform a number of operations that would otherwise require a deeper level of expertise in operating systems and exploitations.

DarkComet RAT has been observed actively in use by both crimeware and nation-state groups across global regions -. e.g., the ongoing conflict in Syria, where it has been reportedly used as a spying tool against government opposition.

To read an in depth Threat Advisory, complete with attack data and remediation, click here.