Remote Access Trojans: how they operate and how to stop them


Every day, people use their laptops and phones for private tasks, such as online banking, and they input confidential or sensitive information, such as login details and passwords. Here is where Remote Access Trojans (RATs) come into play.

Remote access tools are helpful instruments employed initially by IT professionals as an effective way to solve computer issues remotely. However, fraudsters have unfortunately recognized the potential of this technology as a way to gain access to victims’ devices through the ‘back door’.

 

What are Remote Access Trojans (RATs)?

Remote Access Trojans (RATs) are authentic-looking applications containing malware that can be accidentally downloaded onto a device. Once downloaded, they provide a way in for cybercriminals which can give them administrative control over the targeted device.

 how-to-detect-rat-02

What do RATs look like?

Remote Access Trojans are extremely deceptive, as they sneakily piggyback on legitimate-looking files in order to infiltrate a device. The malware can be accidentally downloaded with a user-requested program, for example, a game or an email attachment, and most RATs will leave no trace of their presence on the device.

They can quietly spy on someone for very long periods of time, which means a user could be infected for years without ever even knowing it.

Once a Remote Access Trojan has infiltrated a computer, the cybercriminal can gain remote access, monitoring or even controlling the device or the network. And once they have this access, there is no limit to what the cybercriminal can do; they have complete, anonymous control.

For example, they can use a keylogger to monitor someone’s typing, finding out passwords and sensitive security information, or look at files containing personal or confidential info. Beware – many Remote Access Trojans have the ability to ‘scrape’ saved and even cached passwords.

And, perhaps scariest of all, RATs are ostensibly spyware, and cybercriminal can use them to secretly activate a device’s microphone or a webcam – listening to or watching a user whenever they like.

As well as targeting Personally Identifiable Information (PII), criminals using a RAT also have the power to wipe an entire hard drive, download illegal content or perform embarrassing and illegal actions online through someone’s computer and in their nam e. Often, they will use a home network as a proxy server to commit crimes anonymously that can’t be traced back to them.

 

Remote Access Trojans and online banking fraud

RATs are commonly deployed by criminals attempting to commit online banking fraud. This is because they require only minimal technical know-how, meaning that pretty much anyone could hijack an online banking session.

Fraudsters often make use of a Rat-in-the-Browser (RitB), which is a third-generation Trojan attack, that can work alongside a Remote Access Trojan to hijack a session. This works when malware (i..e. a RAT) has already been downloaded onto the user’s device, and automatically alerts the attacker when the legitimate customer is logging into their online bank account.

The attacker can then remotely suspend the user’s session, open up an invisible browser on the victim’s device, and then complete a fraudulent transaction.

RitBs can also facilitate ‘Man-in-the-Middle’ attacks. Having logged in as normal, the user will think they are interacting with the bank. What’s more, the bank’s anti-fraud software will ‘think’ it is interacting as normal with the account holder.

Yet all the while, an attacker might be sitting in the middle, manipulating what both legitimate parties see at either end of the interaction. For example, when the user initiates a transfer, the attacker could change the account details of the money’s destination, or even the value of the transaction itself.  They might also divert the funds to a mule account. And neither the bank or the user notice that anything is wrong until it’s too late.

how-to-detect-rat-01

Examples of a ‘social’ Remote Access Trojan attack

Users are typically duped into downloading malware through social engineering techniques. For example, a fraudster might:

  • send an email to a victim from what appears to be a well-known and reputable company; the message will include a link or attachment which the user clicks on or opens, thereby downloading a RAT – this is an example of a spear-phishing attack
  • phone up a user posing as a representative of their bank, and claim they need the customer to download a remote access tool and then log in to their bank so the bank can carry out a ‘security check’. Fraudsters often obtain personal information about users beforehand in order to help persuade them that they are genuine
  • even ask particularly unsuspecting victims to turn off their monitor to perform a ‘reboot’, whilst the criminal carries out a fraudulent transaction behind the curtain

 

How to catch a Remote Access Trojans in the act

As fraudsters evolve their techniques in order to bypass banks’ security, anti-fraud solutions must also evolve in order to keep pace.

Most solutions cannot detect the presence of RATs because they rely on traditional security measures such as fingerprint validation or device authentication.

Since Remote Access Trojans hide in plain sight on the user’s legitimate device – and it is still the legitimate user who is operating the device – banks need a multi-layered approach to security if they are to counteract RATs and RATs-in-the-Browser successfully.

In addition to this, two-factor authentication (a stalwart of new regulation PSD2) offers limited protection, at least when it comes to RATs. For example, if the bank asks the attacker for an OTP (One Time Passcode) whilst they attempt a fraudulent transaction, they can sneakily use the legit user’s suspended session to procure it via the victim themselves.

biometria-comportamiento-banca-app-movil

Behavioral biometrics is widely recognized as being the only cybersecurity capability with the ability to detect and subsequently thwart Remote Access Trojans attacks.

This is because, as well as validating the known user device, biometrics also analyzes the user’s behavior and cognitive functions without interfering with the user experience itself.

It can dynamically profile the user behind the device using advanced machine learning algorithms to identify their unique behavioral biometric characteristics.

Through learning these behavior patterns – detecting anomalies in their mouse trajectory, suspicious keyboard use or delay in the device controlling the computer  – advanced behavioral biometrics can flag unexpected changes in behavior that occur mid-session – however slight or temporary.

These vital clues could signal a possible Remote Access Trojan infiltration or Account Takeover (ATO) attempt.

Posted by Asaf Jacobi

Asaf is Solutions Architects Director at buguroo. He has over a decade’s experience working with market-leading financial crime prevention vendors. His wealth of industry knowledge stems predominantly from his most recent position with IBM Trusteer, where he served as Regional Presales Manager EMEA, as well as his work with NICE Actimize, where he worked across roles including technical implementation leadership, business development, and system engineering across APAC and EMEA.

Did you like it? Share in your social communities

 

What did you think about this topic?

Leave your comments

 

Need to reduce fraud in your online banking?

Discover our holistic vision applied to online detection

Request demo