New Tactic Finds RAT Operators Fast

Low tolerance for latency makes RAT operators less likely to use proxies, easier to track back home.

By proactively using large-scale Internet enumeration, law enforcement and security teams may be able to stop operators of remote access Trojans (RATs) like
DarkComet
, Poison Ivy, Havex, and AlienSpy before they even launch their attack campaigns, according to a new report by
Recorded Future
.
The kind of data RATs often deal with require a lot of bandwidth -- photos, audio recordings, video from Webcams, etc. -- and therefore, RAT controllers are generally less tolerant of latency, according to Levi Gundert, author of Recorded Futures report. Since theyre less tolerant of latency, theyre less likely to operate through proxies, so compared to other kinds of malware, there are a disproportionate number of RATs that are run from residential ISP subnets.
As Gundert explains, starting from a data point like this makes attribution quicker and easier. It may make it possible for law enforcement to cut off RAT attacks before operators use the information theyve collected for further nefarious aims, like blackmail or silencing political dissidents, he says.
Using this technique, Gundert says it was very easy for Record Future to attribute RAT operations to Oxford, U.K. resident Daniel James Brown (and find his street address, blood type, and the name of his dog), for instance. Other organizations were similarly able to point to RAT specific operators by username and/or location.
Shodan typically identifies between 400 and 600 individual RAT clients on any day, according to the Recorded Future report. A recent data set pulled from Shodan was overwhelmingly dominated by Dark Comet, followed by XtremeRAT, njRAT, and Net Bus. Poison Ivy and BlackShades barely made the list.
Although some RATs are created for use by nation-states and others for use by individual criminals, threat actors continue to leverate commodity RATs even after the original author has been apprehended, because theyre easy to configure, highly reusable, and proven to be effective against anti-virus, according to the report.
Theyre all open-source to some degree, says Gundert. Theyve all been co-opted to some degree.
Although njRAT and Xtreme RAT are used almost exclusively in the Middle East, he says, most RATs have been used by kids to spy on females, he says.
And even after the major
BlackShades sting in May 2014 where 90 people were arrested
, Blackshades is still limping along: Gundert says he knows of two controllers in Turkey.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Tactic Finds RAT Operators Fast