FF-RAT Uses Stealth Tactics to Evade Endpoint Detection

August 17, 2015 | Garrett Gross
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Twice this year (April and June 2015), the United States Office of Personnel Management (OPM) fell victim to a series of targeted attacks that resulted in 21 million current and former Federal government employees’ information being stolen. In the months following the breaches, the FBI’s Cyber Task Force identified several Remote Access Tools (RATs) that were instrumental in the attacks. One of the more effective variants, FF-RAT, leverages stealth tactics to evade endpoint detection, including the ability to download DLLs remotely and execute them in memory only.

Hackers use these RATs to infiltrate organizations, allowing for malware deployment, command and control (C&C) server communication, and data exfiltration. They key to mitigating attacks involving this type of malware is early detection, giving you time to isolate infected assets and remediate issues before they spread or move to a second stage (stealing your data, deploying additional malware, acting as its own C&C server, etc.)

What this means to you

  • The sole purpose of a RAT is to create a backdoor to infected systems, giving an attacker complete control over that system
  • A common tactic is to use a single deployed RAT as a pivot point to deploy additional malware in the local network or use the infected system to host malware for remote retrieval
  • With a RAT present on your system, an attacker has the ability to view, change, or delete data on that machine. This leaves you open to having your data or, even worse, your clients’ sensitive data stolen.

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can detect activity from FF-RAT. Learn more about this threat intelligence update and others in our forum.

  • System Compromise, Malware RAT, FF-RAT
Garrett Gross

About the Author: Garrett Gross
Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.
Read more posts from Garrett Gross ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial