- Jun 9, 2013
- 6,720
A more sophisticated technique for deploying remote access trojans (RATs) has been observed, used by a handful of countries across Asia.
According to SentinelOne analysis, nation-state attackers have been successfully deploying RATs for years to remotely control user systems—giving them full access to the victim’s files or resources such as cameras, recording key strokes or downloading further malware. Traditionally, RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload—which are easier to detect.
The new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.
“In doing so, the attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors,” said SentinelOne. “Also, the samples analyzed have the ability to detect the presence of a virtual machine to ensure it’s not being analyzed in a network sandbox.”
The technique can be used to deliver any known RAT to a victim’s system.
Earlier in the year, a multi-pronged attack campaign involving various government websites and non-governmental organizations in Asia was uncovered, using a RAT named ‘Trochilus.’ That campaign was driven by East Asian threat actors.
Full Article. Nation-State RAT Attack Vectors Get Smarter
According to SentinelOne analysis, nation-state attackers have been successfully deploying RATs for years to remotely control user systems—giving them full access to the victim’s files or resources such as cameras, recording key strokes or downloading further malware. Traditionally, RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload—which are easier to detect.
The new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.
“In doing so, the attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors,” said SentinelOne. “Also, the samples analyzed have the ability to detect the presence of a virtual machine to ensure it’s not being analyzed in a network sandbox.”
The technique can be used to deliver any known RAT to a victim’s system.
Earlier in the year, a multi-pronged attack campaign involving various government websites and non-governmental organizations in Asia was uncovered, using a RAT named ‘Trochilus.’ That campaign was driven by East Asian threat actors.
Full Article. Nation-State RAT Attack Vectors Get Smarter
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
