# Remote Access Trojan (RAT) A Remote Access Trojan (RAT) is a type of malware that gives an attacker unauthorized remote control over a victim's computer. Unlike legitimate remote administration tools, RATs are installed covertly and operate without the user's knowledge or consent. ## How RATs Work RATs typically consist of two components: 1. **Client (attacker side)**: a control interface used by the attacker to issue commands 2. **Server (victim side)**: a payload installed on the target machine that connects back to the attacker Once installed, the RAT establishes a connection to the attacker's command and control (C2) infrastructure, often using reverse connections to bypass firewalls. The attacker can then remotely control the compromised system as if they had physical access to it. ## Common Capabilities - Keylogging and screen capture - File system access (upload, download, delete, modify) - Webcam and microphone activation - Credential harvesting (passwords, tokens, session cookies) - Execution of arbitrary commands and scripts - Lateral movement within a network - Persistence mechanisms (registry modifications, scheduled tasks, startup entries) - Data exfiltration ## Delivery Methods RATs are commonly delivered through: - Phishing emails with malicious attachments or links - Drive-by downloads from compromised websites - Bundled with pirated software or cracked applications - Exploitation of software vulnerabilities - Trojanized packages in software supply chains (see [[Software Supply Chain Security]]) - Social engineering attacks ## Notable Examples - **DarkComet**: widely used RAT that was eventually abandoned by its creator - **njRAT (Bladabindi)**: popular in the Middle East, known for its simplicity and effectiveness - **Gh0st RAT**: attributed to Chinese threat actors, used in numerous espionage campaigns - **Emotet**: evolved from a banking trojan into a RAT and malware distribution platform - **Quasar RAT**: open-source .NET RAT frequently repurposed by threat actors - **AsyncRAT**: modern open-source RAT commonly distributed via phishing campaigns ## Detection and Mitigation - Monitor for unusual outbound network connections and beaconing patterns - Use endpoint detection and response (EDR) solutions - Enforce application whitelisting - Keep systems and software patched and up to date - Analyze processes for suspicious behavior (e.g., unexpected screen capture or keylogging) - Employ network segmentation to limit lateral movement - Use [[Software Composition Analysis (SCA)]] to detect trojanized dependencies ## References - https://attack.mitre.org/techniques/T1219/ ## Related - [[Software Supply Chain Security]] - [[Software Composition Analysis (SCA)]] - [[Slopsquatting]] - [[AI Skill Supply Chain Security]]