In both April and June this year, a series of cyber attacks was conducted against the United States Office of Personnel Management (OPM). These attacks resulted in 21 million current and former Federal government employees’ information being stolen. After months of investigation, the FBI’s Cyber Task Force identified several Remote Access Tools (RATs) that were used to carry out the attack. One of the more effective tools discovered is named ‘FF-RAT’. FF-RAT evades endpoint detection through stealth tactics, including the ability to download DLLs remotely and execute them in memory only.
Hackers use RATs to gain unlimited access to infected endpoints. Once the victim’s access privilege is acquired, it is then used for malware deployment, command and control (C&C) server communication, and data exfiltration. Most Advanced Persistent Threat (APT) attacks also take advantage of RAT functionality for bypassing strong authentication, reconnaissance, spreading infection, and accessing sensitive applications to exfiltrate data. In order to mitigate these types of attacks, it is key that you have tools and methods in place for early detection. It’s important these attacks are identified in time for you to isolate infected assets and remediate issues before they spread or move to a second stage (deploying additional malware, stealing important data, acting as its own C&C server, etc.)
How this affects you
- When deploying a RAT, a hacker’s main goal is to create a backdoor to infected systems so they can gain complete control over that system.
- When a RAT is installed on your system, the attacker is then able to view, change, or manipulate data on the infected machine. This leaves you open to your, and possibly your clients’, sensitive data being stolen.
- Often, a single RAT is deployed as a pivot point to deploy additional malware in the local network or use the infected system to host malware for remote retrieval.
How AlienVault Helps
AlienVault Labs, AlienVault’s team of security researchers, continue to perform cutting edge research on these types of threats. They collect large amounts of data and then create expert threat intelligence correlation directives, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, data source plugins, and report templates. Activity from FF-RAT can be detected through IDS signatures and a correlation rule that the Labs team has released to the AlienVault Unified Security Management (USM) platform.
[su_box title=”About AlienVault” style=”glass” box_color=”#6cc727″]AlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat intelligence network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield& Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.
AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.For more information visit www.AlienVault.com[/su_box]