ComRAT

The ComRAT is a significantly evolved version of Agent.BTZ, a backdoor Trojan, and also worm. This variant's functionality includes additional Command & Control options and AV log-monitoring but remains specialized in collecting confidential data, such as documents. Users should protect themselves from traditional infection methods like phishing e-mails and have updated anti-malware services for removing the ComRAT as soon as possible.

When Worms Evolve into Worse Things

By 2008, the Agent.BTZ worm already breached systems related to the US Pentagon successfully, earning its place in cyber-warfare history. A series of significant changes to the dual worm-backdoor Trojan make it even more of a problem for the recipient victims as of 2020. As always, a tool of attack by the Turla APT, the ComRAT update orients itself towards exfiltrating sensitive intelligence data, with extra care towards hiding itself in the long-term.

The ComRAT omits a previous Agent.BTZ propagation model for removable devices and boasts a rewrite of the program's code. With unusual invasiveness for spyware, it injects itself into every memory process and gains its installation via PowerStallion (one of the Turla group's other, hallmark utilities). The ComRAT retains features focusing on searching for and collecting specific files from the infected computer and includes a standard C&C connectivity option.

However, the ComRAT also is an eyebrow-raising update for its alternative to the regular HTTP-based server communications. Instead, it can load a cookie into the user's browser and 'read' e-mail attachments for a Gmail account. Turla is using this feature for delivering commands by sending e-mails with attached data blobs in the semblance of documents.

The Remote Access Trojan also includes a customized feature for sending anti-virus logs to the attackers. Malware experts dub such the feature as almost unquestionably an effort to collect cyber-security data to improve the Trojan's detection avoidance rates.

Tracking Down a Dirty Remote Access Trojan

As one might assume of any hacking organization that's compromised numerous diplomatic entities and military networks over the years, the Turla APT has the apparent benefits of funding, experience and expertise. The ComRAT, which, already, is in its fourth iteration of note, with the last being the most significant programmatically speaking. It's only one of many data-collecting and C&C-contacting threats from this threat actor, in the same style as COMPfun, Kazuar, Skipper or KopiLuwak.

The ComRAT has appropriately-advanced stealth mechanisms, including using a 'virtual' storage system for its files. Users can, however, protect themselves through monitoring e-mail messages, websites, and social messages for classic signs of phishing attacks or drive-by-downloads. Virtually all information on a PC compromised by this threat is at risk of transferral to the Turla APT's server.

Naturally, malware researchers recommend against any manual uninstallation of the ComRAT by ordinary users. Anti-malware products are updating their databases for compensating with this threat and will, ideally, catch and delete the ComRAT automatically.

The ComRAT's fourth version is active since 2017, with fresh attacks associated with it ongoing to the current year. It's a reckless time for using network-connected PCs too carelessly, even if the ComRAT is a small part of an even greater geopolitical landscape.