Schrödinger's RAT: Profiling the stakeholders in the remote access Trojan ecosystem

Mohammad Rezaeirad, Brown Farinholt, Hitesh Dharmdasani, Paul Pearce, Kirill Levchenko, Damon McCoy

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Remote Access Trojans (RATs) are a class of malware that give an attacker direct, interactive access to a victim's personal computer, allowing the attacker to steal private data from the computer, spy on the victim in realtime using the camera and microphone, and interact directly with the victim via a dialog box. RATs are used for surveillance, information theft, and extortion of victims. In this work, we report on the attackers and victims for two popular RATs, njRAT and DarkComet. Using the malware repository VirusTotal, we find all instances of these RATs and identify the domain names of their controllers. We then register those domains that have expired and direct them to our measurement infrastructure, allowing us to determine the victims of these campaigns. We investigate several techniques for excluding network scanners and sandbox executions of malware samples in order to filter apparent infections that are not real victims of the campaign. Our results show that over 99% of the 828,137 IP addresses that connected to our sinkhole are likely not real victims. We report on the number of victims, how long RAT campaigns remain active, and the geographic relationship between victims and attackers.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 27th USENIX Security Symposium
    PublisherUSENIX Association
    Pages1043-1060
    Number of pages18
    ISBN (Electronic)9781939133045
    StatePublished - Jan 1 2018
    Event27th USENIX Security Symposium - Baltimore, United States
    Duration: Aug 15 2018Aug 17 2018

    Publication series

    NameProceedings of the 27th USENIX Security Symposium

    Conference

    Conference27th USENIX Security Symposium
    CountryUnited States
    CityBaltimore
    Period8/15/188/17/18

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Fingerprint Dive into the research topics of 'Schrödinger's RAT: Profiling the stakeholders in the remote access Trojan ecosystem'. Together they form a unique fingerprint.

  • Cite this

    Rezaeirad, M., Farinholt, B., Dharmdasani, H., Pearce, P., Levchenko, K., & McCoy, D. (2018). Schrödinger's RAT: Profiling the stakeholders in the remote access Trojan ecosystem. In Proceedings of the 27th USENIX Security Symposium (pp. 1043-1060). (Proceedings of the 27th USENIX Security Symposium). USENIX Association.