DeepSec Talk 2024: RAT Builders – How to Catch Them All – Stephan Berger
Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs.
Initially, we scrutinize the distribution channels of different Trojans, pinpointing where individual builders are accessible for download. These sources range from GitHub, hosted as open-source projects, to other online platforms (such as VX-Underground). Subsequently, we delve into a detailed examination of each Trojan, investigating the diverse infection sources, the locations of persistences, the methods employed for establishing connections with the C2 server, and the array of functionalities embedded within the RATs (with the help of the open-sourced or leaked builder).
This focused analysis of individual Trojans equips us with the capability to identify precise Indicators of Compromise (IOCs) essential for monitoring or conducting targeted hunting within our networks, learning more about the various RATs, and how to fight against them.
We asked Stephan a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Explore how open-source and leaked builders have made it simple for cybercriminals to generate remote access trojans (RATs) with minimal effort.
- In-depth analysis of builders like AgentTesla, DCRat, and Nanocore, focusing on extracting Indicators of Compromise (IOCs).
- Investigate where these RAT builders are accessible, from GitHub to various online platforms.
- Examines infection sources, persistence mechanisms, C2 communication methods, and functionalities of different RATs.
- Examines RATs as a collective to identify distinct IOCs for better network monitoring and targeted hunting.
How did you come up with it? Was there something like an initial spark that set your mind to create this talk?
Last year at the FIRST Conference in Montreal, I presented my talk “N-IOCs to Rule Them All”, where I examined different malware families to come up with an intersection of IOCs for this malware strains. The same idea is actually behind this research: Which IOC’s are the same for a large part of the remote access trojans – so that we can cover and detect as many RATs as possible with as few alerts and effort for SOC and security analysts as possible. See the accompanying blog post here: https://dfir.ch/posts/n-iocs/
Why do you think this is an important topic?
Not only ordinary criminals but also various APTs use remote access Trojans, either as initial access or in the further course of the kill chain, for example, to create persistent access to the network. By analyzing various remote access Trojans, we can derive better indicators that we can in turn look for in our networks and also build alerts for them.
Is there something you want everybody to know – some good advice for our readers, maybe?
As my last talk “N-IOCs to Rule Them All” showed (see point 2 in this interview), 10 good alarms are enough to find a large proportion of classic malware. The same principle applies here – as a defender or security analyst, you can get valuable information from my talk that can be used for tuning or creating new alerts to find or block even more targeted malware and RATs in the network.
A prediction for the future – what do you think will be the next innovations or future downfalls in your field of expertise / the topic of your talk in particular?
With artificial intelligence such as ChatGPT, it has become easier for criminals to create malicious code such as a dropper or an evasion method for example. It’s not necessary for attackers to have in-depth programming knowledge. The hurdle for attackers is getting lower and lower. Software like Chat-GPT could probably help to incorporate new features or to better camouflage the software against AV solutions or EDR products.
On the other hand, with easy access to the source code and RAT builders, we as defenders also have the opportunity to study the techniques and thus take better countermeasures, as shown in this talk 🙂
Stephan Berger has been involved in IT security for more than a decade, currently working for over three years at the Swiss security firm InfoGuard, where he oversees the Incident Response Team. He is an active presence on Twitter with the handle @malmoeb, holds a Bachelor’s degree in Computer Science and a Master’s degree in Engineering, and possesses multiple SANS certifications along with the OSCP credential.