Ratsnif
Ratsnif is a Remote Access Trojan that specializes in network traffic-based attacks for modifying the victim's Web-browsing experience and stealing information. Its use has close associations with APT32, a threat actor with possible Vietnamese state-sponsorship. Vulnerable networks should adhere to best practices for attack prevention and use anti-malware tools for deleting Ratsnif as it appears.
The Asian Rat that Sniffs Your Browser
A RAT from 2016 is getting updates and significant changes in its structure and payload to this very day, thanks to AP32 – also known by its more memorable name of OceanLotus. Although malware experts are rating the Trojan's overall coding quality as being low unusually, Ratsnif does have unique and threatening features with a distinct emphasis on cyber-espionage. Like KOMPROGO, SOUNDBITE, and WINDSHIELD, Ratsnif is a custom Trojan for this threat actor, although APT32 also uses third-party programs like Cobalt Strike with less discrimination.
Most attacks by these hackers use e-mail for infection vectors and deploy one or more 'generic' threats for assessing the target before dropping in-house Trojans like Ratsnif. Old versions of Ratsnif use C&C communications for configuring their payloads, while newer ones since 2018 resort to a built-in configuration file. With all variants, malware experts are outlining data-collecting and traffic-hijacking attacks, including, but not limited to:
- Executing shell commands remotely.
- ARP and DNS poisoning or spoofing for intercepting network traffic.
- Hijacking and redirecting HTTP requests.
- Packet interception or sniffing, which lets the Trojan filter traffic-based data for content of value.
Ratsnif deployments include modular support for various purposes, such as the transmission of collected data to OceanLotus.
Building a Ratproof Network
The length of Ratsnif's remaining under the PC security industry's radar isn't due to its coding quality, which, malware experts re-emphasize, is below APT32's regular standards unusually. Ratsnif campaigns use very specialized deployment methods for targets that are of high interest to the threat actor, and limited sample availability plays a foremost part in its lack of detection. Many attacks also may use techniques like steganography, or the embedding of unsafe content into images, for obfuscating Ratsnif or its loader.
While it can execute commands for instigating other security issues, Ratsnif's focal point is the monitoring of online traffic for collecting information, including modifying the browser's behavior and Web pages, if necessary. All Internet connectivity should be disabled while dealing with infections. Employees should receive adequate training on identifying phishing attacks through e-mail, which are the preferable infection method for OceanLotus and similar, state-sponsored groups.
Network security products may blacklist domains that are known for affiliation with OceanLotus, and professional anti-malware programs should uninstall Ratsnif, like any other threat.
For a Trojan spy, Ratsnif uses humble disguises – its executable tends to name itself after Adobe or Java-based files. The generic names are, as usual, very deceptive, since its payload is a unique indicator of the target machine's interest to a very discerning group of Vietnamese criminals.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.