Analysis of Remote Access Trojans helps understand third-party business risk

Remote Access Trojans (RATs) are often used to steal information from enterprise networks. By looking at network metadata, analysts at threat intelligence firm Recorded Future have been able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks are communicating to those controllers.

This offers insight about third-party organizations that Recorded Future clients can use to get a better understanding of potential third-party risk to their own data.

The research identified active malware controllers for 14 malware families between December 2, 2018 and January 9, 2019. It then focused analysis on a subset of malware -- Emotet, Xtreme RAT, and ZeroAccess -- to profile RAT communications from third-party organizations to the controllers.

The findings show a significant proportion of infected Emotet hosts are based in Latin America, corroborating community observations of a surge in late-2018 Emotet activity targeting South American entities. Infected hosts include organizations in the automotive, finance, energy, construction, retail and entertainment, logistics, and technology sectors.

Infected Xtreme RAT hosts were identified within a video game company and a utilities company in Europe, Middle Eastern, South Asian, and East Asian telecommunications companies, and an industrial conglomerate and an IT company in East Asia.

The research highlights the benefit of being able to identify and track malicious RAT controller network infrastructure to inform the security posture of  enterprises.

You can find out more on the Recorded Future blog  and there's an infographic summary of the findings below.