To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild

Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, Kirill Levchenko

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large-scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they've been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several-week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample's behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use.

    Original languageEnglish (US)
    Title of host publication2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages770-787
    Number of pages18
    ISBN (Electronic)9781509055326
    DOIs
    StatePublished - Jun 23 2017
    Event2017 IEEE Symposium on Security and Privacy, SP 2017 - San Jose, United States
    Duration: May 22 2017May 24 2017

    Other

    Other2017 IEEE Symposium on Security and Privacy, SP 2017
    CountryUnited States
    CitySan Jose
    Period5/22/175/24/17

    Fingerprint

    Monitoring
    Experiments
    Malware
    Botnet

    Keywords

    • Darkcomet
    • Honeypot
    • RAT malware
    • Remote access trojan

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Cite this

    Farinholt, B., Rezaeirad, M., Pearce, P., Dharmdasani, H., Yin, H., Blond, S. L., ... Levchenko, K. (2017). To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. In 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings (pp. 770-787). [7958609] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2017.48

    To Catch a Ratter : Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. / Farinholt, Brown; Rezaeirad, Mohammad; Pearce, Paul; Dharmdasani, Hitesh; Yin, Haikuo; Blond, Stevens Le; McCoy, Damon; Levchenko, Kirill.

    2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2017. p. 770-787 7958609.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Farinholt, B, Rezaeirad, M, Pearce, P, Dharmdasani, H, Yin, H, Blond, SL, McCoy, D & Levchenko, K 2017, To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. in 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings., 7958609, Institute of Electrical and Electronics Engineers Inc., pp. 770-787, 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, United States, 5/22/17. https://doi.org/10.1109/SP.2017.48
    Farinholt B, Rezaeirad M, Pearce P, Dharmdasani H, Yin H, Blond SL et al. To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. In 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2017. p. 770-787. 7958609 https://doi.org/10.1109/SP.2017.48
    Farinholt, Brown ; Rezaeirad, Mohammad ; Pearce, Paul ; Dharmdasani, Hitesh ; Yin, Haikuo ; Blond, Stevens Le ; McCoy, Damon ; Levchenko, Kirill. / To Catch a Ratter : Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild. 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 770-787
    @inproceedings{24919c65971e4455ad6499cffd9a89ca,
    title = "To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild",
    abstract = "Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large-scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they've been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several-week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample's behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use.",
    keywords = "Darkcomet, Honeypot, RAT malware, Remote access trojan",
    author = "Brown Farinholt and Mohammad Rezaeirad and Paul Pearce and Hitesh Dharmdasani and Haikuo Yin and Blond, {Stevens Le} and Damon McCoy and Kirill Levchenko",
    year = "2017",
    month = "6",
    day = "23",
    doi = "10.1109/SP.2017.48",
    language = "English (US)",
    pages = "770--787",
    booktitle = "2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",
    address = "United States",

    }

    TY - GEN

    T1 - To Catch a Ratter

    T2 - Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild

    AU - Farinholt, Brown

    AU - Rezaeirad, Mohammad

    AU - Pearce, Paul

    AU - Dharmdasani, Hitesh

    AU - Yin, Haikuo

    AU - Blond, Stevens Le

    AU - McCoy, Damon

    AU - Levchenko, Kirill

    PY - 2017/6/23

    Y1 - 2017/6/23

    N2 - Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large-scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they've been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several-week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample's behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use.

    AB - Remote Access Trojans (RATs) give remote attackers interactive control over a compromised machine. Unlike large-scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they've been used for espionage, information theft, voyeurism and extortion. Despite their increasing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several-week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample's behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use.

    KW - Darkcomet

    KW - Honeypot

    KW - RAT malware

    KW - Remote access trojan

    UR - http://www.scopus.com/inward/record.url?scp=85024492711&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85024492711&partnerID=8YFLogxK

    U2 - 10.1109/SP.2017.48

    DO - 10.1109/SP.2017.48

    M3 - Conference contribution

    AN - SCOPUS:85024492711

    SP - 770

    EP - 787

    BT - 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -