DeepSec: RAT Builders - How to catch them all

Table of Contents

Abstract

Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs.

Initially, we scrutinize the distribution channels of different Trojans, pinpointing where individual builders are accessible for download. These sources range from GitHub, hosted as open-source projects, to other online platforms (such as VX-Underground). Subsequently, we delve into a detailed examination of each Trojan, investigating the diverse infection sources, the locations of persistences, the methods employed for establishing connections with the C2 server, and the array of functionalities embedded within the RATs (with the help of the open-sourced or leaked builder). This focused analysis of individual Trojans equips us with the capability to identify precise Indicators of Compromise (IOCs) essential for monitoring or conducting targeted hunting within our networks, learning more about the various RATs, and how to fight against them.

Source: DeepSec

TODO

Figure 1: RAT Builders - How to catch them all

Youtube Video

Not yet published.