OzoneRAT

OzoneRAT is a Remote Access Trojan (RAT) that can hijack your Web browser to redirect you to a threat website or intercept personal information, as well as providing other means of attacking the PC. Like other RATs, OzoneRAT is designed to maintain system persistence without any visible evidence, although its installation requires your consent (such as by interacting with e-mail attachments) typically. You should treat infections by allowing your anti-malware solutions to remove OzoneRAT immediately.

A Whiff of the Wrong Website in the Air

Even the most flexible and advanced of Trojans require very conventional exploits for installing themselves, often, hinging on unintended help from their victims ultimately. For example, OzoneRAT is RAT whose license agreement includes warnings against using it for non-threatening activities, although malware experts already see at least one campaign installing it through spam emails. In that case, the attack uses a fake television bill document with an embedded JavaScript exploit. Launching the JavaScript triggers the OzoneRAT's installation, along with a variety of other, invariably threatening modifications.

Some of the first changes made to the infected PC include setting up a fake SSL certificate, potentially for spoofing protected website communications. OzoneRAT also includes a TOR-based proxy configuration for Internet Explorer, Firefox and Chrome. These Man-in-the-Middle or Man-in-the-Browse style attacks can redirect you from a safe domain to a visually-similar threatening one, such as rerouting you from a bank login to a phishing site.

This original, front-loaded payload must download an additional module for OzoneRAT to conduct other attacks of significance, which it runs via a DLL-injecting exploit. Besides granting a remote attacker widespread access to your PC and control over its UI and settings, OzoneRAT also boasts a semi-unique control feature: being able to create a second instance of the Windows desktop. Although this second desktop is under the attacker's control, it's invisible to the user, which allows con artists to conduct attacks with even more efficiency and less use of potentially cumbersome network commands.

Taking the Toxicity out of Your PC's Atmosphere

Much like the cloud-scraping atmospheric beasts of cryptozoology's fables, OzoneRAT is a threat whose sheer breadth of influence makes it difficult to detect and isolate. OzoneRAT uses encrypted and anonymous network communications, can install other threats or disable security features without needing access to anything other than the Windows UI and does not have to show any overt symptoms without the remote attacker's intent. However, a watchful victim may note the OzoneRAT's impact on carefully monitored system resources, such as RAM.

OzoneRAT is most vulnerable to identification during the install process, such as the previously-mentioned e-mail spam attacks. Malware experts are finding that these attacks are, at present, restricted to German-speaking PC owners, although OzoneRAT's business model of renting usage to third parties makes it likely that it soon will spread elsewhere. Readers might remember that legitimate invoices, and other billing-related documents, never are provided as Word email attachments, and never will include embedded scripts or macros.

Besides guarding against these types of infection exploits, you always can use anti-malware products to delete OzoneRAT before its administrators take greater control over your PC and put a halt to attempted solutions.

Technical Details