A peek inside a (cracked) commercially available RAT (Remote Access Tool)

by

Share this news now.

By Dancho Danchev

In an attempt to add an additional layer of legitimacy to their malicious software, cybercriminals sometimes simply reposition them as Remote Access Tools, also known as R.A.Ts. What they seem to be forgetting is that, no legitimate Remote Access Tool would posses any spreading capabilities, plus, has the capacity to handle tens of thousands of hosts at the same time, or possesses built-in password stealing capabilities.

Pitched by its author as a Remote Access Tool, the DIY (do it yourself) malware that I’ll profile in this post is currently cracked, and available for both novice, and experienced cybercriminals to take advantage of at selected cybercrime-friendly communities.

More details:

The first time we came across the underground market ad promoting the availability of the DIY malware was in June 2012 and offered for sale for $1,000. Then in October 2012, a cracked and fully working version of the DIY malware leaked on multiple cybercrime-friendly communities, potentially undermining the monetization attempted by its author.

The Web/Client based release has numerous features, presented in a point-and-click fashion, potentially empowering novice cybercriminals with a versatile set of online spying capabilities. Let’s go through some screenshots to demonstrate the capabilities of this particular (cracked) underground market release.

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_01

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_02

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_03

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_04

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_05

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_06

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_07

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_08

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_09

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_10

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_11

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_12

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_13

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_14

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_15

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_16

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_17

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_18

Sample screenshot of the DIY Web/Client based malware:

commercial_private_rat_remote_access_tool_trojan_horse_malware_rootkit_19

Sample screenshot of the DIY Web/Client based malware:

Commercial_Private_RAT_Remote_Access_Tool_Trojan_Horse_Malware_Rootkit_20

Cracked malware releases either cease to exist since the cybercriminal behind them has failed to monetize his release in the initial phrase, continue being developed as private releases, or become adopted by novice cybercriminals taking advantage of today’s managed malware crypting services to ensure that the actual payload remains undetected before it is distributed to the intended target(s).

We’ll continue monitoring the development of this DIY malware, in particular whether or not its developer will continue working on it, now that there are leaked versions of it available online.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Share this news now.

Trackbacks

  1. [...] on behalf of fellow cybercriminals across multiple cybercrime-friendly communities, resulting in a cracked version available exclusively to members of these communities. What we’ve got here is yet another [...]