Let’s inaugurate our blog’s new category called “Trust Your Fraud Expert,” where you can periodically find interesting analysis by our experts.
This week our CTO, Guido Ronchetti, explains to us the evolution of Remote Access Trojan.
When attackers want to target industries or consumers, they have several channels to compromise their target. There are desktop computer vulnerabilities, network communication protocols, and, most importantly, thousands of mobile applications that constantly run on everyone’s devices. Each of these channels has its quirks and weak points. This forces attackers to apply specific techniques and flows to meet their goals.
Even though mobile applications have been available for years, security concepts and development practices are still less mature and constantly evolving. New security measures are defined, new vulnerabilities are found, but few devices are kept up-to-date with their software.
This allows malicious agents to achieve their main purpose more efficiently. In fact, a massive amount of mobile malware has been developed in the last years, with one of the primary targets being the financial services ecosystem.
At XTN, an important part of the support service we provide is the continuous monitoring of the evolution of mobile and web malware and threats worldwide.
One of the main trends we are observing started in 2018 and is continuing in 2019, this being the evolution of Remote Access Trojan (RAT) targeting mobile devices. The shift of these well-known attacks from desktop computers and into the mobile environment. This has seen an evolution from simple pseudo-RAT to full-featured RAT malware, targeting and focused on the Android market.
Remote Access Trojans provide cybercriminals with complete access to a victim’s infected endpoint. Using stolen access privileges, they can access and steal sensitive business and personal data, including Intellectual Property (IP), Personal Identifiable Information (PII), and Patient Health Information (PHI).
Several Advanced Persistent Threat (APT) attacks use RAT technology to bypass strong authentication, spread the infection, and access sensitive applications to exfiltrate data.
Moreover, once a RAT infects a device, the cybercriminal can control the device from a comfortable and remote back-end control panel.
For these reasons, RAT attacks are extremely dangerous since they attack the chain’s weakest link. These attacks are designed to be scalable and can be customized to fit the target.
THE CASE OF ANUBIS
A peculiar example of this technology we observed in 2018 is Anubis. This software can provide full remote control through a friendly web user interface and trigger malevolent capabilities such as keylogging, overlaying on apps, process monitoring, SMS and phone call hijacking, push notification forgery, device content encryption (as ransomware would do).
And that’s only half!
It can also intercept data from the camera along with GPS and microphone signals, plus controlling the browser components and gathering permissions on the fly to gain access to the device’s contacts!
This Anubis example enables us to quickly understand the variety of attacks a cybercriminal could perform from such a tool, ranging from targeted spying to large-scale ransomware or financial apps overlay campaigns.
The XTN team believes that antivirus tools are not enough to protect your services within the consumer’s context. You are just delegating threat mitigation to users who are often not savvy enough to understand the dangers.
Given this fact, XTN has designed a behavioral malware engine capable of detecting threats even without specific samples’ knowledge.
We moved from the usual signature-based detection to a behavioral-based engine because we have proven successful in many circumstances such as:
• Protecting against new brands and unimagined types of malware attacks;
• Detecting an individual instance of malware targeting a specific person or organization;
• Identifying malware acting within a particular environment, even without having to analyze that particular instance;
Obtaining comprehensive information about the malware is crucial for analysts to understand the possible range of impacts.
This engine is integrated with SEAP® and is part of our Cognitive Security Platform®, designed to protect your mobile app from the inside and modeled with advanced machine learning algorithms and implemented due to long-term business intelligence tasks.