Bitdefender Detected “RadRAT” Espionage Tool

By: DT NEWS NETWORK
April, 16, 2018

Bucharest-headquartered cybersecurity company Bitdefender has detected an advanced remote access tool, named RadRAT – which offers full control over seized computers – that it believes to have been unnoticed and operating since at least 2015.

This RAT is used in targeted attacks aimed at exfiltrating information, or monitoring victims in enterprises or large businesses running Windows.A research was conducted by one of our experts, he says, “Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.“In addition to its very powerful data exfiltration mechanisms, RadRAT features extremely interesting lateral movement mechanisms that include Mimikatz-like credentials harvesting from WDigest.dll and kerberos.dll; NTLM hash harvesting from the Windows registry, inspired from the source code of the Mimikatzlsadmp tool; using the infected machine to retrieve a Windows password from the LanMan (LM) hash, by cracking previously sniffed NTLM authentication challenges; an implementation of the Pass-the- Hash attack on SMB connections.”

RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll.These commands can be split into multiple categories. For file or registry operations, for example, the attacker can use these commands to gain specific knowledge about the file layout and registry data of the victim machine or of network connected machines.The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files, being able to read them, compute and compare hashes of byte sections inside the file, and upload them in case of an unknown hash.

Share Your Views - post Your Comments Below

DT encourage Readers to go for verification process for security reasons.

Max Characters 1000.

We request you not to post comments that are obscene, libellous, slanderous or in flammatory, and do not indulge in personal attacks, name calling or inciting hatred against any community. Any offensive comments will not be published and will be forwarded to cyber crime department.

Posted Comments
There are no comments yet.
Microtek