View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

“RadRAT” Espionage Tool Flushed Out

RadRAT, a powerful “all-in-one toolkit for complex espionage ops” apparently unnoticed since 2015, flushed out by Bitdefender

By CBR Staff Writer

Bucharest-headquartered cybersecurity company Bitdefender has detected an advanced remote access tool, named RadRAT – which offers full control over seized computers – that it believes to have been unnoticed and operating since at least 2015.

This RAT is used in targeted attacks aimed at exfiltrating information, or monitoring victims in enterprises or large businesses running Windows.

Bitdefender forensics engineer Eduard Budaca described it as an “all-in-one toolkit for complex espionage ops”.

In a research report shared with media on Friday, he said: “Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.”

Lateral Movement Mechanisms

He added: “In addition to its very powerful data exfiltration mechanisms, RadRAT features extremely interesting lateral movement mechanisms that include Mimikatz-like credentials harvesting from WDigest.dll and kerberos.dll; NTLM hash harvesting from the Windows registry, inspired from the source code of the Mimikatz lsadmp tool; using the infected machine to retrieve a Windows password from the LanMan (LM) hash, by cracking previously sniffed NTLM authentication challenges; an implementation of the Pass-the- Hash attack on SMB connections.”

RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll.

These commands can be split into multiple categories. For file or registry operations, for example, the attacker can use these commands to gain specific knowledge about the file layout and registry data of the victim machine or of network connected machines.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files, being able to read them, compute and compare hashes of byte sections inside the file, and upload them in case of an unknown hash.

RadRAT “An Extremely Complex Attack Toolkit”

His team’s deep dive into the RAT’s components reveals an “extremely complex attack toolkit” that is optimized for networked environments such as enterprises or large businesses running Windows, Budaca said.

His full research report is here.

See also: EU Fintech Action Plan puts cybersecurity top of the list

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU