RadRAT

RadRAT is a Remote Access Trojan that provides network-infiltration and data-collecting capabilities to its Command & Control admins. Infections by this threat grant criminals total control over the file system of both the PC and, potentially, the rest of its network. Due to the inclusion of advanced stealth features similar to those of a rootkit, malware experts only encourage detecting and removing RadRAT with a suitably-qualified and updated anti-malware product.

A Network Saboteur that's Flown Under the Radar

An old 'new' Trojan that fuses feature sets of rootkits, spyware, and backdoor Trojans together is the subject of a recent highlight report by the Bitdefender cyber-security company. Attacks from this threat, RadRAT, date to at least 2015, and malware experts are noting its particular compatibility with large, network-based Windows environments. Its threat actors are using RadRAT's capabilities for compromising and monitoring the network setups of business sector entities seemingly, with long-term potential for collecting confidential data or sabotaging the machines.

RadRAT is made up of a handful of separate components, including DLLs, EXEs, and TMP files, some of which display variable operational behavior depending on their filenames (as a way of switching between a 'default' and an 'installation' mode). The Remote Access Trojan hijacks Windows services behavior for keeping itself running and throttles the priority of its routines for stopping them from alerting the user through slowdowns and related symptoms.

The features from RadRAT that malware analysts are emphasizing the danger of include:

• RadRAT supports significant control over the system's file operations, including enumerating the contents of directories, comparing hashes, and reading, creating, copying or deleting files.
• RadRAT has many functions that are specific to monitoring and compromising network shares and has two, distinct infection methods for any network-accessible PC. Although the RAT includes login-compromising features, such as ARP poisoning attacks, it also has a pass-the-hash attack that could grant it system access without needing the password or other credentials.
• Although RadRAT's core data-exfiltrating features are its ones for collecting login combinations and related credentials, it also is a potential threat to all sensitive data on the PC. Of particular note is RadRAT's including monitoring mechanisms for the PC's Web-browsing history and network traffic.

Keeping Your Network from Getting Too Radical

With nearly a hundred, separate commands, a design focus on highly-specialized system information monitoring, and system-hooking stealth features similar to those of a rootkit, RadRAT is a project that benefits from significant time investment from its programmers. Threat actors using RadRAT are likely of being highly familiar with the target environments and may be seeking to attack specific, high-value networks, such as entities in the energy or medical sectors.

Compromised Windows systems should, if possible, be segregated from the rest of the network to keep RadRAT from traveling laterally and attacking other PCs. Users also may find it helpful to boot their PCs through methods that circumvent the default Registry settings, which the Trojan is likely of having modified. This threat's campaign is still receiving updates, and malware experts advise that any victims use only similarly up-to-date anti-malware tools for uninstalling RadRAT safely.

RadRAT is a threat that both gives remote attackers unlimited control over a network virtually and one that takes care to eliminate any sign of its existence while it's running. With its infection strategies, still, unidentifiable, PC users working in all industries should remember that practicing safe network behavior is simpler than cleaning up the consequences of being careless significantly.