What is a RAT?
What does RAT stand for?
What will happen if I am infected by a RAT/Ratted?
What are key indicators I have been ratted?
How does a RAT work?
Alright, well what are the capabilities of a ill-willed RAT?
What do I need to know to protect myself?
What should I do if I recieve a file I think could be a RAT?
Why should I upload it to virustotal, as opposed to just not opening the file and deleting it?
What if the file comes back clean, but I'm still not sure?
What are common schemes/lies people will use to convince a person to run/open a piece of malware?
Why don't I just use antivirus?
What should I do if I am RATted?
What's the first thing we should do when we think we've run a RAT?
Should I be afraid or scared? I did not know malware has so much potential.
As the use of RATs has become more prominent in PB2, with over 4 users in memory who have infected innocent users.
I have long thought about creating this thread. Really, I was going to make it ages ago. But we are treading on ice. This is a thread about a very scary thing, the use of remote access trojans (RATs). I don't want to scare anyone, but there are things you need to know about this.
Alright, regular thread format, let's get started.
What is a RAT?
A RAT is essentially a software designed to monitor and control computers. Not all RAT's are malicious. Teamviewer is a RAT, but a completely good tool to use while helping with PC's and does not force it's way onto the computer and can be removed at will.
What does RAT stand for?
There's more than one thing it stands for, but they all mean the same thing, except a non-malicious rat is not considered a trojan. Here is some of them.
Remote Access Trojan
Remote Administrator Tool
Remote Administrator Trojan
Remote Agent Tool
What will happen if I am infected by a RAT/Ratted?
The rat will sometimes disappear and the file is removed but the rat reinstalls itself elsewhere. This is one of the most obvious indicators you have been infected. Other things that can happen is that random accounts will be hacked, weird notifications about foreign logins, and financial fraud.
What are key indicators I have been ratted?
RAT's are not easy to notice, but these are signs you might have an issue:
1. Screen turning off randomly
2. Mouse switches doing the wrong thing, screen being controlled.
3. Mouse is in a differnet location than what you left it at.
4. Computer doesn't sleep or lags often.
5. Random insulting error messages
6. Webcam light randomly coming on.
7. Chatbox popping up
8. Someone having a ton of weird info about you.
9. You find your account was used to spam odd links various places.
How does a RAT work?
I am going to go over this briefly. I am deliberately leaving out vital information to prevent informing the wrong people about this.
It starts on a controller computer. This is known as the host, controller, hub, etc.. Exactly like a botnet if you have read my CyberSecurity Glossary.
This computer has a program on it that can generate the RAT stub, or the virus itself. Just a file with no logo the file type can vary from .exe to .jar to .bat to .vbs and many other things (More on this later). This is the malware that is ran to gain control of the slaves/clients/bots (essentially the infected people's computers.)
After this piece of malware is ran on someone's computer, that computer is suddenly listed on the controller computer's control panel.
This is where the RAT can be used to control and manipulate and steal and stalk a person.
Should the infected person turn their computer off or remove the virus, the computer will be listed as offline, and no information can be gained, although any information stolen on startup or while the virus had a live connection can still be browsed or viewed, so long as it was moved to the host computer.
Alright, well what are the capabilities of a ill-willed RAT?
RAT's are something I am heavily against, but in the past I have used them. Here's some things I was able to get a RAT I used in the past to do.
On the first run/execution:
1. Force itself to start everytime the computer starts up. Establish several backup methods of starting in case one gets deleted. Establish several backup connections in case the controller computer lost connection to the infected individual. This was used through websites such as pastebin. My RAT would visit a pastebin page and check it for encoded instructions if it could not connect to the controller computer.
2. Immediately grab all browser saved passwords. This worked on every available mainstream browser, including but not limited to Google Chrome, Internet Explorer, Edge, Opera, and Firefox.
3. Immediately begin keylogging every single computer button press, window and task history, and the time stamps of all of these. These files were stored locally on the infected individuals computer to prevent the files from taking up space on the controller computer, but upon request were easily downloaded/emailed to the controller.
4. Grabbed every email stored on the computer using outlook or any other local email program. Sent to the controller computer.
5. Immediately searched every single file for any word I picked. This feature is commonly used for the word 'password' 'tax' 'taxes' 'credit' 'W2' things such as this.
6. Download and install other malware to make sure if the PC deletes the RAT, I can use other malware to reinstall it.
7.Use the computers CPU to mine cryptocurrencies. This was a very complex feature because I could tell it to only do it when the computer hadn't been used in x amount of time, making it very hard to notice.
8.If the infected individual had a mainstream torrent program such as utorrent, I could secretly 'seed' downloads without the user knowing. This seems insignificant, but let's say I make a download on utorrent of the movie 'up' then corrupt the file. And put a readme.txt in the download, saying if the movie doesn't work, to run the Video Media player updater in the download. Then I can put malware in the movie and then use the people who fall for it to seed more downloads.
While the malware has a live connection to the controlling computer:
1. The bots computer can be controlled. This can be done invisibly by creating a Remote Desktop Protocol in the background, or where the infected person can see it, by controlling their mouse and keyboard.
2. The bots webcam and microphone can be viewed live and or recorded.
3. The bot's PC can be utilized to silently visit websites automatically to generate Pay Per Click traffic or any sort of ad revenue.
4. You can upload and download files to the bot's pc live.
5. You can remotely execute files on the bot's pc.
6. You can leach and utilize the bot's internet connection to conduct Denial of Service or Distributed Denial of Service attacks (DoS and DDoS)
7. You can open and close the disk drive, shut down or restart the computer.
8. You can make a live chat client or a message appear on the infected individuals screen.
9. There are a lot more, but these are the scariest things.
What do I need to know to protect myself?
This is the most important part. Common sense is the best way of protection. Well, you already know a bit of it. RAT's are typically .jar, .exe, .bat, .vbs, .doc, .pdf files. If someone sends you one of these, it's possible you are a target!
What should I do if I recieve a file I think could be a RAT?
First thing's first, upload it to http://virustotal.com/ . This will tell you if antivirus detect it. As long as you do not OPEN the file, you will not be infected. This means you can have a RAT on your pc and not be infected. Allowing you to upload it to virus total.
Why should I upload it to virustotal, as opposed to just not opening the file and deleting it?
There's a lot of reasons for this.
1. If you upload to virustotal, it's possible the scan will come back obviously infected, and then you know that the person is trying to infect you, and not to trust them.
2. If you upload a file to virustotal, it will distribute the virus to antivirus companies to pull it apart and then make it more easily detected by their software. This means you're making it harder for the person to RAT yourself and others.
3. That way, if the file comes back 100% clean, you can know it is possibly safe to run.
What if the file comes back clean, but I'm still not sure?
You have options. I want to be clear - If you ever have a suspicion you have been infected and I am available, I will personally support you and analyze and help remove the threat. If I'm not around, then I recommend uploading the file to https://www.hybrid-analysis.com/ and sending me the scan. I can almost immediately tell you if the file is malware. Do not try to read the scan yourself without research as it has odd indicators sometimes. Also, Hybrid Analysis will automatically upload the file to virustotal for you unless you do not select the 'share this sample with the community?' option.
What are common schemes/lies people will use to convince a person to run/open a piece of malware?
1. Any youtube video claiming to have cracks/cheats.
2. Any sort of game cash generator
3. A 'video game' or 'code' someone wrote and needs to test out.
4. Video game mods as odd file types.
5. Just saying 'open this its funny'
6. Claiming it makes you money.
7. Claiming that the file isn't working on his/her own pc and to try it to help them.
8. Sending files over discord or skype and there is no preview/you need to download it.
9. An .exe cleverly disguised as a zipped file so you double click it to unzip it
10. A .pdf or word macro, meaning the word document is large but doesnt contain much text/it claims to be encrypted and you need to diasble macros to view it.
11. Claiming its a program you need like a hacking program you wanted to try or such.
12. Any sort of aimbot or bot.
13. Claiming it's a driver update or it will fix something on your PC.
14. Telling you it's an antivirus.
15. Putting it with another file you were looking for and saying 'if the file doesnt work, please open this!'
Why don't I just use antivirus?
I actually recommend everyone use antivirus. If you have no money, try Avast! at https://www.avast.com/en-us/index . If you have a few bucks to spend, the by far best antivirus out right now is ESET NOD-32, because it detects new RATs and malware the quickest. Here's the cheapest place I found for licenses: https://www.g2a.com/eset-nod32-smart-se ... lobal.html BUT Antivirus is not nearly as good as a brain, and you should definitely use the utmost caution when dealing with suspicious things. Why? Here is a post I made sometime back proving how easy it is to bypass antivirus with malware: Actually, I couldn't find it, so here's some scans I did with malware reducing the detection simply with a program and changing the icon of the malware:
Spoiler: Show More
What should I do if I am RATted?
If your antivirus does not detect it and you are too late.. You ran a deadly RAT, then you have a few options. I recommend contacting me. I promise I will be patient and help you through it step by step, and help report the person who did it if we can figure it out.
I'm currently inactive and can't be contacted? No worries!
There are plenty of forums that will help you remove it. I personally recommend the forum listed here:
https://www.bleepingcomputer.com/forums/f/79/security/
You don't want to register? That's fine, I recommend following these instructions:
Looking through this website, running Hitman, Malwarebytes, and any of the other tools that look like they could help.
https://www.bleepingcomputer.com/downlo ... /security/
And here are some nice instructions to generally clean your pc and a good start if you decide to go on a forum.
But always, I recommend the forum or me before bothering with trying to solve it yourself. Let the malware eaters have breakfast.
Spoiler: Show More
Spoiler: Show More
What's the first thing we should do when we think we've run a RAT?
Disconnect your internet. RAT can't do anything if it can't connect to a host. Then do research on a phone or different PC and try to get it removed. But sometimes you can't do that and you just have to cover up your webcam and try to get it removed while online.
Should I be afraid or scared? I did not know malware has so much potential.
If you even have read half of this post, you are absolutely fine. Go on with your life more wary and more secure, friend.