Over the past five years, there have been a wide variety of Remote Access Tools, or “RATs” – the term for sneaky programs that can hide themselves, drop files on hosts, create services, detect sandboxes or antivirus software, and self-delete to further confuse protection mechanisms.
Ultimately, these are being used more and more for data theft and exfiltration, not for disruption or destruction.
In this video, we demonstrate CylancePROTECT® vs. FF-Rat malware:
VIDEO: CylancePROTECT vs. FF-Rat Malware
Background and Timeline
FF-RAT has been around for over five years and, as is the case with more advanced targeted attack tools, its ability to hide and pivot makes it an excellent tool for secret data theft, rather than ransomware. Of course, excellent tools for data theft are bad news for those playing defense, so we wanted to do a quick dive into those tools.
This technical writeup from our Threat Guidance team does a deeper dive and is absolutely worth a read.
How Is FF-RAT Delivered? What Does It Do?
FF-RAT can be delivered in similar methods to other type of attacks, most often through spear phishing emails. Due to the targeted attack vector, bad actors (many state-funded) want to be precise to make use of network details (obtained through similar or alternative attacks), user information (stolen credentials), and location of valuable information.
Generally speaking, FF-RAT doesn’t actually display any visible warning of harm to the user. There is no popup, warning, or ransomware notice, which we often see in malware and other forms of ransomware.
Rather, the RCoResX64.dat file (DLL) is a backdoor that allows the attacker(s) to run whatever code they want on the infected machine, without any warning to the user/victim.
It’s a backdoor dropper, with the following features:
1) Import functions used to raise exceptions within a program, making dynamic code analysis difficult to follow
2) Nontrivial (critical) entry point, allowing it to be placed inside a process
3) Gathers information about the current operating system
4) Modify the memory of a running process, to inject itself into running processes
5) Appears to run invisibly, but it is not a background service
6) Looks for common protection systems (like antivirus or anti-malware programs)
What’s also interesting is that it looks like a debugger, which can stop processes and change the way it operates – but in this case, for malicious and not testing purposes. The dropper deletes itself, drops a copy of the RAT (DLL) to the System32 directory and creates a service. There is additional stuff happening in the background tying this all together.
As noted in the full Threat Guidance article, there are three C2 (command and control) sites which it talks to, all located in Hong Kong:
There won’t be any communication unless an attacker decided to alter the malware in order to push more code down to the machine.
How Does Cylance Protect Me?
Our demonstration initially shows how the droppers (EXE) and Backdoors (DLL) operate, with CylancePROTECT® monitoring what would happen – along with desktop and dashboard alerts.
We then demonstrate how CylancePROTECT instantly cleans up an infected machine, removing all nasty files and terminating services.
Finally, as is the case with current Cylance customers, the final use case illustrates what having CylancePROTECT enabled in the first place offers.
Figure1: Cylance Dashboard, Showing Storyline of the RAT Attack
(CylancePROTECT set in AUDIT-ONLY mode)
Figure 2: The Threat Unmasked in CylancePROTECT
If you use our endpoint protection product CylancePROTECT, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.