Twice this year (April and June 2015), the United States Office of Personnel Management (OPM) fell victim to a series of targeted attacks that resulted in 21 million current and former Federal government employees’ information being stolen. In the months following the breaches, the FBI’s Cyber Task Force identified several Remote Access Tools (RATs) that were instrumental in the attacks. One of the more effective variants, FF-RAT, leverages stealth tactics to evade endpoint detection, including the ability to download DLLs remotely and execute them in memory only.
Hackers use these RATs to infiltrate organizations, allowing for malware deployment, command and control (C&C) server communication, and data exfiltration. They key to mitigating attacks involving this type of malware is early detection, giving you time to isolate infected assets and remediate issues before they spread or move to a second stage (stealing your data, deploying additional malware, acting as its own C&C server, etc.)
What this means to you
- The sole purpose of a RAT is to create a backdoor to infected systems, giving an attacker complete control over that system
- A common tactic is to use a single deployed RAT as a pivot point to deploy additional malware in the local network or use the infected system to host malware for remote retrieval
- With a RAT present on your system, an attacker has the ability to view, change, or delete data on that machine. This leaves you open to having your data or, even worse, your clients’ sensitive data stolen.
How AlienVault Helps
AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can detect activity from FF-RAT. Learn more about this threat intelligence update and others in our forum.
- System Compromise, Malware RAT, FF-RAT