Bucharest-headquartered cybersecurity company Bitdefender has detected an advanced remote access tool, named RadRAT – which offers full control over seized computers – that it believes to have been unnoticed and operating since at least 2015.
This RAT is used in targeted attacks aimed at exfiltrating information, or monitoring victims in enterprises or large businesses running Windows.
Bitdefender forensics engineer Eduard Budaca described it as an “all-in-one toolkit for complex espionage ops”.
In a research report shared with media on Friday, he said: “Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.”
Lateral Movement Mechanisms
He added: “In addition to its very powerful data exfiltration mechanisms, RadRAT features extremely interesting lateral movement mechanisms that include Mimikatz-like credentials harvesting from WDigest.dll and kerberos.dll; NTLM hash harvesting from the Windows registry, inspired from the source code of the Mimikatz lsadmp tool; using the infected machine to retrieve a Windows password from the LanMan (LM) hash, by cracking previously sniffed NTLM authentication challenges; an implementation of the Pass-the- Hash attack on SMB connections.”
RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll.
These commands can be split into multiple categories. For file or registry operations, for example, the attacker can use these commands to gain specific knowledge about the file layout and registry data of the victim machine or of network connected machines.
The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files, being able to read them, compute and compare hashes of byte sections inside the file, and upload them in case of an unknown hash.
RadRAT “An Extremely Complex Attack Toolkit”
His team’s deep dive into the RAT’s components reveals an “extremely complex attack toolkit” that is optimized for networked environments such as enterprises or large businesses running Windows, Budaca said.
His full research report is here.