Remote Access Trojans (RATs) are one of the most popular hacking tools, as they allow attackers to remotely control a compromised system. These powerful malware variants are always being updated in order to evade security measures on the attacked systems, so it is necessary to know as much information as possible about it.
On this occasion, the experts from the malware analysis course of the International Institute of Cyber Security (IICS) will show you the 6 remote access Trojan variants most used by the cybercriminal community. Remember that this article was prepared for informational purposes only and should not be taken as a call to action; IICS is not responsible for the misuse that may be given to the information contained herein.
Below is a list of the malicious tools that will be analyzed:
- Cerberus 1.03.5
- Cyber Gate 1.07.5
- DarkComet 5.3
- OrcusRAT 1.9.1
- NjRat Danger Edition 0.7D
- Venom 2.1
It is worth mentioning that the malware analysis course experts have evaluated these Trojans based on the criteria mentioned below:
- Features included
- Speed of deployment on the target system
- Loading capacity
- Build Code Protection Level
- Checking in VirusTotal
- Overall pros and cons
Considering the above, let us continue with the analysis of the RATs.
This tool is capable of working at a high speed, since its load only takes 5 seconds. During operation, the RAT occupies about 7.3 MB of memory, so it does not place a load on the target system. Furthermore, according to experts from the malware analysis course, this RAT is capable of evading security mechanisms with proper encryption.
Cerberus has the ability to change languages, recognize various output formats, and even add sounds that will play at boot time. This RAT can also generate persistence in the system and is very functional to deceive the target user, although it can be easily detectable. Another disadvantage is that the compiler is somewhat outdated, which can be problematic for the attacker.
According to experts from the malware analysis course, starting this RAT takes around 25 seconds, making it significantly slower compared to options like Cerberus. CyberGate startup is also somewhat conspicuous, as it creates several processes visible in the task manager.
As for the analysis at VirusTotal, only one of the 70 most popular antiviruses was able to determine the actual origin of this RAT.
While it is easy to use CyberGate to collect a large amount of information from active sessions, the malware analysis course experts believe that it would be easy for any administrator to detect and remove the infection.
The compilation of this malware takes about a minute, which makes it a very slow option for this class of tools, although once compiled it considerably reduces its activity, consuming only 2.7 MB of the system.
The build is not hidden with shields or packers of any kind and, during import, you can immediately notice user32.dll, from which the mouse and keybd modules are imported, and, of course, the keylogging function VkKeyScanA.
Among its outstanding functions is the use of two ways of creating viruses, programming actions and creating RAT download links, experts from the malware analysis course point out.
Although its resource consumption is inconspicuous and there is not much information about DarkComet on VirusTotal, this RAT is not able to adequately hide its activity and is therefore not a very popular choice.
This RAT variant assembles in less than 10 seconds, consumes approximately 15MB of RAM, and does not create extraneous processes on the target system, plus it is encrypted, experts from the malware analysis course point out. Orcust RAT may intentionally create third-party processes for distraction purposes and accepts some plugins to enhance its capabilities.
Many antiviruses can detect Orcus RAT, although this does not mean that they are safe from this malicious development; however, the functionality of the RAT is limited if the attacker does not have some plugins.
According to malware analysis course experts, this RAT has advanced features, including the ability to stop on detection of specific processes, share the victim’s screen, disable task manager, and cannot be uninstalled.
On the other hand, its assembly takes exactly ten seconds and occupies 18% of the processor’s capacity, so it can be quite conspicuous. The antivirus scan returns better results than the options shown above, although this does not mean that it is impossible to detect.
Although researchers believe that there are better options in the cybercriminal community, NjRat counts as a fully functional hacking tool, but its main drawback is high processor resource consumption.
According to experts from the malware analysis course, this RAT can upload a build to AnonFile, as well as being able to add very well-hidden installers, even with fake installation licences. Attackers using Venom will also be able to create a rootkit and modify the Trojan, providing a great level of customization.
Launching this RAT takes about 20 seconds and the build takes 9 MB of RAM, so it consumes virtually no system resources. It is written in .NET and although it requires better stealth tactics it is not possible to see the code on the fly.
Venom is perhaps the best option on this list, since it easily adapts to the characteristics of each attack campaign and practically no antivirus can detect the infection. Venom’s main downside is that it’s a paid RAT, though that’s certainly not something that would stop an advanced hacking group.