Over the past five years, there have been a wide variety of Remote Access Tools, or “RATs” – the term for sneaky programs that can hide themselves, drop files on hosts, create services, detect sandboxes or antivirus software, and self-delete to further confuse protection mechanisms.
Ultimately, these are being used more and more for data theft and exfiltration, not for disruption or destruction.
In this video, we demonstrate CylancePROTECT® vs. FF-Rat malware:
VIDEO: CylancePROTECT vs. FF-Rat Malware
Background and Timeline
FF-RAT has been around for over five years and, as is the case with more advanced targeted attack tools, its ability to hide and pivot makes it an excellent tool for secret data theft, rather than ransomware. Of course, excellent tools for data theft are bad news for those playing defense, so we wanted to do a quick dive into those tools.
This technical writeup from our Threat Guidance team does a deeper dive and is absolutely worth a read.
How Is FF-RAT Delivered? What Does It Do?
FF-RAT can be delivered in similar methods to other type of attacks, most often through spear phishing emails. Due to the targeted attack vector, bad actors (many state-funded) want to be precise to make use of network details (obtained through similar or alternative attacks), user information (stolen credentials), and location of valuable information.
Generally speaking, FF-RAT doesn’t actually display any visible warning of harm to the user. There is no popup, warning, or ransomware notice, which we often see in malware and other forms of ransomware.
Rather, the RCoResX64.dat file (DLL) is a backdoor that allows the attacker(s) to run whatever code they want on the infected machine, without any warning to the user/victim.
It’s a backdoor dropper, with the following features:
- Import functions used to raise exceptions (Read more...)
This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog