A proof-of-concept system designed to detect remote-access Trojans (RATs) using only network data uncovered infections at companies in a variety of industries, according to a report released this week by information analysis firm Recorded Future.
Using only network scans and metadata collected between Dec. 2, 2018, and Jan. 8, 2019, Recorded Future uncovered 481 command-and-control (C2) servers used by attackers to manage computer systems compromised by 14 different families of RATs. In the report, which focused on three particular Trojans — Emotet, Xtreme RAT, and ZeroAccess — the company found nearly 20 command-and-control (C2) servers managing Emotet infections, more than 30 managing ZeroAccess infections, and nearly 70 managing xTreme RAT infections.
The detected servers only comprise a fraction of the total remote-access threat on the Internet because the technique cannot find every server, says John TerBush, senior threat researcher with the Insikt Group at Recorded Future. Still, the hundreds of C2 servers indicate a large problem, he stresses.
"There are a lot of RAT types out there that are quite successful," he says. "They can be pretty good at evading security detections through a variety of ways. They are not something that will be easy gotten rid of unless you are at the top of your game."
The detection of hundreds of C2 servers for RATs highlights the continuing threat and how far online attackers have infiltrated corporate networks. Once attackers have compromised a single system inside a network, they have a beachhead from where they can steal data, install additional functionality, or infect other systems.
"They create pivot points in your environment," TerBush says. "They can sit there and gather information from the host you are on, they can download other files, or they can use it as a pivot point for lateral movement. Some of them are simpler than others and not as useful, but there are a lot of variants with a lot of functionality."