RDAT Backdoor Trojan
A Middle Eastern telecommunication company had its network defenses penetrated by a severely improved piece of malware identified as the RDAT Backdoor Trojan. This threat appears to be entirely revamped compared to earlier versions, and its development has been attributed to the OilRig Advanced Persistent Threat (APT) group. This cybercrime organization has been operative in the region for nearly a decade. The criminals are believed to be of Iranian origin, and they often go under alternative names like APT34 and Twisted Kitten. The OilRig APT is known to rely heavily on social engineering to gain illicit access to the targeted network. However, there is not enough information yet to determine if they have used the same approach to deliver the RDAT Backdoor Trojan.
The latest variant of the RDAT Backdoor Trojan features a new and advanced way to retrieve commands from the control server. Instead of relying on an HTTP connection, the RDAT Backdoor Trojan makes use of steganography – a method used to hide code in images. In this case, the corrupted, modified files use the 'BMP' format, and they are attached to emails that the RDAT Backdoor Trojan will read to fetch new commands. Not only is the RDAT Backdoor Trojan using steganography to receive commands, but it can also rely on the same technique to silently exfiltrate data from the compromised network.
The latest RDAT Backdoor Trojan attack often included the use of the Mimikatz tool that cybercriminals often rely on to extract passwords and credentials from compromised systems. In addition to ing credentials via 3rd-party utilities, the RDAT Backdoor Trojan also supports other actions:
- Uploading or downloading files and executing them.
- Grabbing screenshots.
- Restarting its payload or initializing the self-destruct sequence.
- Taking screenshots of the desktop.
All data that the RDAT Backdoor Trojan collects is stored in a hidden folder and extracted via the steganography method mentioned above. It is safe to assume that the RDAT Backdoor Trojan attacks are used for espionage and data theft.
Unfortunately, the OilRig APT is still a major concern for companies in the Middle East – the government-backed hackers continue to improve their arsenal by introducing entirely new malware like ZeroCleare, or updating old projects like the RDAT Backdoor Trojan.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.