To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild

Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, Kirill Levchenko

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large-scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they've been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several-week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample's behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use.

    Original languageEnglish (US)
    Title of host publication2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages770-787
    Number of pages18
    ISBN (Electronic)9781509055326
    DOIs
    StatePublished - Jun 23 2017
    Event2017 IEEE Symposium on Security and Privacy, SP 2017 - San Jose, United States
    Duration: May 22 2017May 24 2017

    Publication series

    NameProceedings - IEEE Symposium on Security and Privacy
    ISSN (Print)1081-6011

    Other

    Other2017 IEEE Symposium on Security and Privacy, SP 2017
    CountryUnited States
    CitySan Jose
    Period5/22/175/24/17

    Keywords

    • Darkcomet
    • Honeypot
    • RAT malware
    • Remote access trojan

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Fingerprint Dive into the research topics of 'To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild'. Together they form a unique fingerprint.

  • Cite this

    Farinholt, B., Rezaeirad, M., Pearce, P., Dharmdasani, H., Yin, H., Blond, S. L., McCoy, D., & Levchenko, K. (2017). To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. In 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings (pp. 770-787). [7958609] (Proceedings - IEEE Symposium on Security and Privacy). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2017.48