A report by SophosLabs revealed the recent operation and evolution of RATicate, a cybercriminal group that has been attacking a wide range of companies in numerous industry sectors in Europe, the Middle East and Asia.

RAT is short for Remote Access Trojan, a type of malware that’s designed to set up your computer so that cybercriminals can send it rogue commands across the internet.

A RAT infection means that crooks can quietly instruct your computer to carry out a troublesome range of activities, including:

• Reporting back with a detailed inventory of your computer, including installed software, network connectivity and speed, configuration settings and license codes.
• Riffling through your files to search for “trophy data” that’s worth stealing.
• Monitoring your keystrokes and your network traffic in the hope of extracting passwords and network authentication tokens.
• Launching criminal attacks on other networks and computers so that the source of the attack seems to trace directly back to you.
• Sending enormous quantities of spam and scam emails so that any attempt to blocklist the offending messages affects your internet connection and leaves the crooks untouched.
• Taking screenshots secretly to keep track of what you are up to online.
• Activating your webcam remotely to snoop on you while you’re using your computer
• Downloading and implanting additional malware on your computer, possibly as part of an underground service to distribute other crooks’ malware for a fee.

SophosLabs tracked five different RATicate malware campaigns delivering a wide range of different RATs, each using a wide range of different C&C servers to download their malevolent instructions.

The RAT variants delivered by this group of crooks included the zombie malware families Betabot, Lokibot, Formbook, AgentTesla, Netwire, Bladibindi and more. 

The rogue installers were spammed out in emails where they were sometimes attached directly in archive files using the well-known ZIP format, as well as lesser known archive types UDF and IMG formats; and sometimes delivered as Excel or RTF files that included links to download the “installer” from a booby-trapped server. 

How to prevent a RATicate attack?

• Filter email attachments. Don’t let little-used archive files through just because you assume they’re harmless.
• Filter outgoing web connections to block access to known hacked servers. If you bring your remote users back through the company network using a VPN, you can help to ensure that everyone gets the same level of protection against rogue downloads.
• Follow layered protection, also known as defense-in-depth. The criminals are practicing “layered attacks” so that each step of the process looks more innocent on its own, but this often means that you can often prevent the overall attack if you block just one part of it.
• Keep an eye on your logs. A modest looking attack that you spotted today could be a handy warning of what the crooks have in mind next.