RATicate

RATicate is a threat actor that specializes in attacking enterprise-level businesses with a combination of Remote Access Trojans and spyware. The group's campaigns receive regular updates for obfuscating their tools from threat-detecting utilities and express a preference for e-mail infection vectors. Workers should avoid opening attachments or links from e-mail without confirming their safety and have appropriate anti-malware solutions for removing RATs and other threats from RATicate.

Corporate Spies Using Whatever It Takes

Threat actors turning the Coronavirus epidemic into their Trojan-delivering systems are becoming more of an everyday event. Extortion from the CoronaVirus Ransomware, Windows UI-blocking by CoronaLocker, and smartphone infections through the SpyMax RAT are choice samples of the different fates awaiting victims clicking on disease-related links too readily. RATicate, a new threat actor group, is turning in the same direction, but only after over a year's worth of previous hacking experience.

RATicate's modus operandi fits the models that malware researchers associate with for-profit espionage versus corporate entities – but it also could sell its capabilities to other threat actors or intend on different results, such as pure hardware sabotage. While the attackers are switching their installation formats slightly between campaigns, all cases include an opening gambit of an e-mail phishing lure. The victim clicks on the attachment, such as a COVID-19-themed document, which starts an elaborate, multi-stage infection routine.

A notable part of this installation is the fact that RATicate, for now, uses a consistent set of 'junk data' files (GIF pictures, ASCII texts, etc.) as part of obfuscating the attack, without changing them from one operation to the next. The payload is, however, much more variable, and rotates through different Remote Access Trojans, or RATs, and spyware tools for collecting data:

• Agent Tesla (a keylogger and screen-grabber)
• The Netwire RAT
• Lokibot (a keylogger and password collecter)
• Beta Bot (a banking Trojan and rootkit)
• FormBook (also in periodic use by Sweed)

All of these Trojans are third-party programs available to threat actors around the world, although malware analysts suspect that the loading components that RATicate uses are custom-built.

Sending Rodents Scurrying

RATicate, whose name is a callback to a lesser-known rodent from Nintendo's Pokemon franchise, has little that's colorful about its campaigns, besides the name. The hackers target enterprise-level corporations, seemingly, exclusively, either for money, service disruption or access to sensitive data. They also express the degree of competency that malware experts expect of such attackers, including using reflective loading techniques, memory injection and additional anti-detection tricks.

Users should monitor e-mail communications, which are one of the most consistent points in RATicate campaigns throughout 2019 and 2020. These messages may carry contents specialized to the target's workplace environment or ongoing phenomenons like the Coronavirus. The usual precautions concerning patching software and turning off high-risk features like macros will assist with blocking RATicate attacks and similar ones from other threat actors.

Payloads from RATicate campaigns revolve around granting remote administrative control over the PC and allowing attackers to exfiltrate information at their leisure. Anti-malware solutions with updated databases are an individual's best bet of removing RATs, spyware, and other high-level RATicate threats.

RATicate specializes in infecting Windows environments, but many of the techniques are appropriate for compromising other OSes and devices. Keeping your network from becoming an open piggybank for criminals requires due diligence from every user, whether lowly or highly-placed.