Remote Access Trojans (RAT) Used Against Finance Departments

Small businesses in India, UK and US have been hit with two types of remote access Trojans (RATs) since early 2015. The target has been employees responsible for accounts and fund transfers. The attackers only use a few resources and mostly use social engineering techniques rather than exploits. The publicly available RATs Backdoor.Breut and Trojan.Nancrat with multipurpose capabilities was used for these attacks. Even with these few resources, the attackers have managed to get control and steal money.

For most of 2015, the targets were mainly located in India, while some others were in the US and UK. During the past few months, activity in India and US has dropped while the number of infections in the UK has increased.

Backdoor.Breut was used to mainly target Indian organizations early 2015 and Trojan.Nancrat was mostly used after August against UK targets. The attackers get hold of any business they can and move on to another.

Spoofed or stolen accounts have been used to spread these RATs. Symantec’s Phishing Readiness solution campaigns show that employees are susceptible to email based attacks 18% of the time. This is a reason why RATs can be spread so effectively using this method.  Most of the messages are sent in the afternoon during Greenwich Mean Time (GMT) or morning during Eastern Standard Time (EST) implying that  that the attackers are based in Europe or the US. The subjects of the messages imply a financial transaction and goes like:  Re:Invoice, PO, Remittance Advice, Payment Advise, QUOTATION and Transfer Copy.

Archive files with the RATs are emailed in this attack. When the victims open these, the attackers get complete control of the victim’s computer. The attacker can get access to webcam and microphone, log keystrokes, steal files and passwords, and more. Then the privileged access of the attacker is used to transfer money to an account under their control.

Attacker assess compromised computers to find out the best ways to steal money. Attackers have been known to even download manuals to figure out how to use certain financial software. After they are finished with the computer, they return to sending emails to other targets. The activity suggests that only a few attackers are involved in this.

Command and Control
The following command and control (C&C) servers for Backdoor.Breut were used in the firs half of 2015:

  • cleintten101.no-ip.biz
  • cleintten.duckdns.org
  • clientten1.ddns.net

From August, the attackers configured a variant of Backdoor.Breut to use the following domains as C&C servers:

  • akaros79.no-ip.biz
  • mathew79.no-ip.biz
  • clientten1.ddns.net

After this, they used akaros79.no-ip.biz and mathew79.no-ip.biz for variants of Backdoor.Breut, while applying the original clientten1.ddns.net to Trojan.Nancrat. Once this occurred, they attacked UK targets with Trojan.Nancrat while compromising other regions with Backdoor.Breut.

It’s important to remember that attackers with less capabilities can still cause huge damages.

To avoid compromise, users must follow some simple safety measures. This includes avoid opening attachments or links from suspicious emails, avoid sending personal information via emails or input them on pop-up web pages, and keep security software updated. Most of all contact the IT department if you believe a certain email is not legitimate.


Source: Akati

Comments are closed.