View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

“RadRAT” Espionage Tool Flushed Out

RadRAT, a powerful “all-in-one toolkit for complex espionage ops” apparently unnoticed since 2015, flushed out by Bitdefender

By CBR Staff Writer

Bucharest-headquartered cybersecurity company Bitdefender has detected an advanced remote access tool, named RadRAT – which offers full control over seized computers – that it believes to have been unnoticed and operating since at least 2015.

This RAT is used in targeted attacks aimed at exfiltrating information, or monitoring victims in enterprises or large businesses running Windows.

Bitdefender forensics engineer Eduard Budaca described it as an “all-in-one toolkit for complex espionage ops”.

In a research report shared with media on Friday, he said: “Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.”

Lateral Movement Mechanisms

He added: “In addition to its very powerful data exfiltration mechanisms, RadRAT features extremely interesting lateral movement mechanisms that include Mimikatz-like credentials harvesting from WDigest.dll and kerberos.dll; NTLM hash harvesting from the Windows registry, inspired from the source code of the Mimikatz lsadmp tool; using the infected machine to retrieve a Windows password from the LanMan (LM) hash, by cracking previously sniffed NTLM authentication challenges; an implementation of the Pass-the- Hash attack on SMB connections.”

RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll.

These commands can be split into multiple categories. For file or registry operations, for example, the attacker can use these commands to gain specific knowledge about the file layout and registry data of the victim machine or of network connected machines.

Content from our partners
Why all businesses must democratise data analytics
How start-ups can take the next step towards scaling up
Unlocking the value of artificial intelligence and machine learning

The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files, being able to read them, compute and compare hashes of byte sections inside the file, and upload them in case of an unknown hash.

RadRAT “An Extremely Complex Attack Toolkit”

His team’s deep dive into the RAT’s components reveals an “extremely complex attack toolkit” that is optimized for networked environments such as enterprises or large businesses running Windows, Budaca said.

His full research report is here.

See also: EU Fintech Action Plan puts cybersecurity top of the list

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU