Basic Knowledge

Remote Access Trojan

CyStack image


|May 24, 2023

Remote Access Trojan: A Threat In Disguise


  • A remote access trojan is designed to get administrative access to the target system.
  • Most common types of remote access trojan are: Kjw0rm, Sakula, Havex, and Dark Comet.
  • Signs of remote access trojan presence are: device keeps getting lagging and crashing, website unresponsiveness, and antivirus software malfunction.
  • What is Remote Access Trojan (RAT)?

    A remote access Trojan (RAT) is a type of malware that gives the perpetrator administrative access to the target system, including keyboard control, document and network resource access. RATs are usually downloaded in conjunction with a legitimate program without the victim’s acknowledgement.

    RAT can be deployed as a malicious payload using toolkits such as Metasploit. After penetrating the system successfully, RAT connect directly to the command-and-control (C&C) server, which gives the attackers full control of the device.

    How Does a Remote Access Trojan Work?

    RAT usually operates in disguise as a reliable remote access app. The hacker will first trick the user into downloading the RAT through email attachment or seemingly official programs. Once installed successfully, RATs take administrative control over your system. Because RAT has full control, the attacker can do almost anything on the target device, for instance:

  • Retrieve, alter, or remove files and file systems
  • Track system activities, passwords, and user behavior via spyware and keyloggers
  • Initiate the system’s microphone and webcam without the user’s permission
  • Capture screenshots and send them to C&C server
  • Spread malicious software and programs
  • Edit the system drives
  • Collect user sensitive information namely bank account details and identity information
  • Why are Remote Access Trojans Dangerous?

    RATs are difficult to detect because they function similarly like legitimate programs. Furthermore, cyber criminals can control the degree of resource that RATs use, making it even more challenging to track them.

    Since RATs have administrative control over the system, they can do almost anything on the victim’s computer. RATs can pose the following threats on your device and system.

    Leaking sensitive personal information

    After installing RATs on your computer successfully, the attacker can gain access to the camera and microphone. Then, the attacker can use the photos and videos he captured to blackmail the victim.

    Remote file storage

    Attackers can store illegitimate on other people’s devices using RATs. This is a way to avoid the authority radar because they can’t shut down the attacker’s storage server because the data is stored on devices possessed by legitimate users.

    Crypto Mining

    Attackers can use RATs to take advantage of other device’s resources to mine Bitcoin or other cryptocurrencies. By doing this, they can earn more by increasing their mining workload.


    When RATs are deployed on multiple user devices, the attackers then can use these devices to attack a target server with a surging amount of fake traffic. When a site is overwhelmed with incoming fake traffic, it will result in a denial-of-service to the real traffic. Users will have difficulty in finding out that their devices are used for DDoS attacks.

    Compromising public systems

    Cyber criminals can take over large-scale public systems such as water and electricity systems, causing widespread damage to many activities and disrupting critical services to multiple areas.

    Common Types Of Remote Access Trojans

    There are plenty types of RATs you need to look out for. Here are the most common ones.


    Kjw0rm is worm that is written in VBS format, which makes it difficult to identify its presence. It can also avoid detection from antivirus software by using obfuscation. It’s deployed under the radar, then opens the backdoor, allowing the attackers to take complete control of the device, and send the illegally collected data to C&C server.


    Havex is a RAT specifically designed to target industrial control systems. The attackers will have administrative control over the industrial systems through Havex. The dangerous thing about Havex is its ability to transform flexibly to avoid detection.


    Sakula is a seemingly legitimate software, yet underneath that cover it takes full control of the victim’s computer. Sakula communicate with its control servers using unencrypted HTTP requests. It is usually deployed in conjunction with password stealers to perform authentication using the hash technique. This means it reuses operating system authentication hashes to hijack existing login sessions.


    Agent.BTZ/ComRat is a type of RAT targeting industrial control systems. It is deployed via phishing attacks. Agent.BTZ/ComRat uses many methods such as encryption, anti-analysis and forensic techniques to avoid detection. It provides full administrative control over an the attacked device, and can send the collected data back to its C&C server.

    Dark Comet

    Dark Comet was first discovered in 2011 and is still widely used. It takes full administrative control over the target machines, and has the ability to disable Task Manager, firewall, and user access control (UAC) on Windows operating system. Dark Comet can elude detection by antivirus software using encryption.


    AlienSpy is a RAT targetting Apple OS X and macOS platforms specifically. It detects and collects data about the target system, gains access to the webcam and microphone, and securely connects to the C&C server and transmit the data collected. AlienSpy uses anti-analysis techniques to detect the the potential targets to attack.


    Sub7 operates in a client-server model. The server will be deployed on a target device, and the client is a graphical user interface used by the attacker to control the system anonymously and remotely. Once installed successfully into the Windows directory, Sub7 enables webcam capture, chat data collection, and provides a registry editor for the attackers to control remotely.

    Back Orifice

    Back Orifice is a remote access program for Windows. This type of RAT is deployed as a server on the target system, and enables a graphical user interface client system operated by the attacker to take full control over the system. It can be used to control multiple computers simultaneously.

    Heseber BOT

    The Heseber BOT is built based on VNC, a traditional remote access tool. It controls the targeted machine remotely and transmit collected data to the C&C server. However, it does not grant the attacker with administrative control over the device unless the user permits. Because VNC is a legitimate tool, Heseber cannot usually be detected by antivirus software programs.

    Signs of

    Even though RATs are difficult to detect, even with trained eyes, there are warning signs that you can watch out for:

  • Unfamiliar files:
  • Lagging and crashing:
  • Antivirus software malfunction:
  • Website unresponsiveness:
  • Webcam used abnormally:
  • Protection

    Prevention is better than cure. Here are some ways that you can get your guard up and defend yourself against RATs.

    Look For Application Unusual Behavior

    RATs can disguise as legitimate applications and deploy malicious functionality through a real application. You can try to detect RATs by monitoring programs for unusual behavior. For instance, an unusual activity could be notepad.exe file generating network traffic.

    Apply Prevention Methods

    RATs are only a threat if they are installed and deployed successfully on a target system. Using secure browsing and anti-phishing solutions and regularly scanning your systems can make it more difficult for RATs to infect your system.

    Deploy Multi-Factor Authentication

    RATs can collect passwords and usernames using keyloggers. By enabling multi-factor authentication, you can add a layer of protection in case the attacker has your personal data and information.

    Implement The Principle Of Least Privilege

    In information security, the concept of least privilege means a user or an entity should only have access to the necessary data, resource, and permissions and nothing extra to complete the required tasks. By implementing least privilege, organizations can reduce the attack surface and risks of malware spread.

    Monitor Network Traffic

    A RAT deployed on a local device will transmit information with a remote command and control (C&C) server many times which results in unusual increase in network traffic. Keep an eye out for a rise in network traffic and use web application firewalls to monitor and block communication with C&C server.

    Secure Remote Access Solutions

    Each endpoint that connects to your network can be seen as a potential attack point for RATs. In order to mitigate the cyberattacks, organizations should only allow remote access created with virtual private networks (VPNs) to maximize the security level. Furthermore, you can opt for using a clientless remote access solution that does not require additional plugins or software on end-user devices as those could be highly potential targets for attackers.

    Raise Awareness About Security

    Human error is usually the root cause for security events, and RAT is no exception. Employees could access malicious links or download unknown file attachments and accidentally install trojan programs. In order to prevent this from happening, organizations need to host training sessions or communication emails to educate the employees about information security.

    Strict Control Procedures

    Applying stricter control procedures will reduce the risks of attacker getting access to sensitive data and using it to deploy RATs. Some examples of stricter controls are implementing two-step verification, more secured firewall configurations, whitelisting IP addresses for authorized users, and using more advanced antivirus software, etc.

    Zero-Trust Security Technologies

    Zero-trust is a security framework that requires all users to authenticate and verify before getting access to applications or data. Applying zero-trust approach is crucial to mitigate the RAT attacks because it can curb the attack surface and access to the organization confidential information of cyber criminals.

    Final thoughts

    Remote access Trojan can be a serious threat because it can gain administrative control over your systems and devices. Prevention is always better than a cure. Organizations should be more cautious and equip more advanced technologies to cope with potential threats in generally and RATs specifically.


    Bài viết liên quan

    Penetration Testing
    Penetration Testing
    24/05/2023|Basic Knowledge

    What Is Penetration Testing? Image by ra2 studio on Shutterstock Penetration testing (pen testing) is a simulated and authorized attack against an organization’s systems, infrastructures, and networks to identify vulnerabilities and weaknesses that hackers could exploit. The testers employ the same techniques and tools as hackers, such as social engineering , phishing, network scanning, and […]

    Cloud Security
    Cloud Security
    24/05/2023|Basic Knowledge

    How to Secure Your Cloud Environment: Best Practices and Strategies Image by macrovector on Freepik Businesses are migrating from on-premises infrastructure to the cloud to take advantage of cloud-based infrastructures’ flexibility, agility, scalability, innovation, and cost-effectiveness. In this rush, it’s easy to overlook security and focus on speed and operability, leaving systems vulnerable to breaches. […]

    Data Privacy
    Data Privacy
    24/05/2023|Basic Knowledge

    Data Privacy in the Workplace: Balancing Employee Privacy and Business Needs Image by VideoFlow on Shutterstock No employee wants to work a job where they feel like all their activities are monitored by a  “big brother.”  But sadly, the increasing amount of data collected and stored by businesses has made maintaining employee privacy a complex […]