RAT Threat Intelligence – A Very Simple Manual Technique
While I’ve been looking further and further into remote administration tools I decided to step back for a moment and look it from a general point of view. I’ve been focusing on three RAT’s at the moment; Imminent Monitor, Nanocore and Luminosity Link. These are advertised on a US forum and discussed on english speaking forums, although distributed around the world, the main audience for these are western developed countries.
I looked into YouTube and made some queries, I set the queries to be filtered to a month so I know what’s recent. Some of videos relating to the RATs were not relevant to the software in question, but I can’t filter out all of it. It should be looked at a general point of view, and most of the discrepancies were from the small portions of the research, which we won’t be focusing on. The idea for looking into what’s being discussed on YouTube is that it gives some insight onto trends. For example, PoisonIvy, a very dated RAT isn’t discussed too much on YouTube anymore with just 88 counts of videos in the past month. While njRAT is the clear leader of what is being discussed on YouTube, the content uploaded is usually from eastern countries like Syria, Egypt and Turkey (not exclusively).
The amount of video content in March 2016
Statistics:
NjRAT – 1,560
darkcomet – 771
blackshades – 22
netwire – 3
luminositylink – 11
nanocore – 48
babylon rat – 393
cybergate – 133
xtreme rat – 379
poison ivy – 81
bozok – 8
A large portion of these videos are in Arabic, and give some insight into other countries around the world and what is relevant to them. It is noteable that many of the videos uploaded from eastern countries point to Facebook profiles or Skype contacts that provide further information about the individual, some of these obviously won’t be sophisticated attackers. As well as corporate security I am also interested in individual’s security and so this is still relevant, many videos uploaded about RATs leak out information about the uploadee or the clients they hold. For example an Arabic video explaining njRAT surfaced on YouTube on the 21st March, he first explains about a VPN and goes through various steps to finally created a dynamic host. lala123.no-ip.biz, correlating IP is 141.255.153.33 which is the VPN’s IP (Hostname: 33-153-255-141.dynip.ipjetable.net).
Further on into the video we find that he uses the NO-IP client and spills some of his previous names his used with NO-IP, one of them being MAF12.no-ip.biz, this correlates to a different IP (105.102.78.97) which is owned by an Algerian telecom. While we can’t make too many assumptions, the probability of that being his IP is quite high. We can learn other things about malicious software from YouTube as well, although RATs are more commonly shown than other forms. There are ofcourse many other streams of information available on the internet, some more accurate and concise.
I can take a few things from this information. Attackers are still using very outdated, broken, ill-featured software and is distributed widely for further usage, especially in eastern countries. Remote administration tools trickle down if they are free but are rarely used if they are ‘premium’ RATs, even if they are cracked. Even though remote exploits have been found for Darkcomet, users still persist in keeping Darkcomet alive, most likely because it’s well known for being free.
There are ofcourse exceptions and maybe even contradictions from the statements I’ve made, but researching on YouTube is an essential threat intelligence tool in my eyes as attackers become older and remember the tools they’ve used before. YouTube is a platform where users can learn about such tools without breaking through the barriers of forums or extensive searches.
That’s all from me, thanks for looking.