RadRAT is a new Remote Administrator Tool which has been left undiscovered until Bitdefender dug deep into it. There a pile of RATs available for every operating system. Some of the common RAT that everyone use are DarkComet, NJrat, Revenge RAT, blah blah blah. Each RAT has their unique features. Mostly everyone will lose a main feature termed as Persistence which keeps the connection between the attacker and the victim consistent. But RadRAT has all the advanced features built in for espionage.
RadRAT Features :
- This RadRAT has features similar to that of Mmikatz (post explpoitation tool used for extraction of passwrdos from the hacked computer).
- At the time of installation, the RAT binds with all the running process and help in providing persistence to the attacker even if a process is killed.
- The credential harvester option of this tool is set default as Yes. So, as soon as getting connected from the victim, the attacker can dump all the passwords. The RAT injects in to the running process lsass.exe to harvest credentials from the infected computer.
- The RAT follows a schedule to contact the C&C server between valid week days.
- While resolving C&C (command and control) server’s IP address, RadRAT uses a hardcoded list of DNS nameservers leaving no traces of attackers
- It has capabilities to steal the network traffic routing over the entire network by using ARP Poisoning.
- Using defrag.exe module of the RAT, it can exfiltrate data such as Browser history and user name password of all other users stored on the infected computer.
- NTLM hash harvesting can be performed and can be used for pass-the-hash attacks because the NTML hashes are not salted.
- Helps to communicate with other machines hosted over the same local network and to perform port scans.
- Allows easy migration form one process to another using commands.
- Has pre-built commands to kill process using its PID.
- Has inbuilt component that infects the other machines hosted over the same network.
- Updates automatically by connecting to the C&C server on scheduled days.
Features regarding Sysinfo :
- Helps to discover all the existing hosts in a network.
- Displays all the open TCP connections along with Source IP address, Destination Ip address and their ports.
- Prints the Remote Desktop Sessions associated with the machine and display the username, IP address, domain and their current state whether they are active or not.
- Displays the details about the Network Adapter. This helps the attacker to facilitate his attacks over Network in case if the automated RAT feature fails to hack into the network.
- Prints information regarding the proxy servers uses in the infected network.
- Gives a list of running process in the victim’s machine along with their process ID (pid).
- Gives a complete analysis of security measures deployed.
Source : BitDefender
Comprised of all these features, RadRAT remained anonymous and worked surreptitiously underground until revealed by security researchers of BitDefender. Thus, RadRAT is a perfect tool for cyber espionage. To downlaod the white paper published on this RadRAT, follow the below link :