Let’s inaugurate our blog’s new category called “Trust Your Fraud Expert” where you can periodically find interesting analysis by our experts.
This week our CTO Guido Ronchetti explains us the evolution of Remote Access Trojan.
When attackers want to target industries or consumers, they have several channels to compromise their target. There are desktop computers vulnerabilities, network communication protocols and most importantly, there are thousands of mobile applications which constantly run on everyone’s devices. Each of these channels has its quirks and weak points. This forces attackers to apply specific techniques and flows in order to meet their goal.
Even though mobile applications have been available for years, security concepts and development practices are still less mature and in constant evolution. When new security measures are defined new vulnerabilities are found but few devices are kept up-to-date with their software.
This allows malicious agents to achieve their main purpose more efficiently. In fact, a massive amount of mobile malware has been developed in the last years with one of the primary targets being the financial services ecosystem.
At XTN, an important part of the support service we provide is the continuous monitoring of the evolution of mobile and web malware and threats around the world.
One of the main trends we are observing, started in 2018 and is continuing in 2019, this being the evolution of Remote Access Trojan (RAT) targeting mobile devices. The shift of these well-known attacks from desktop computers and into the mobile environment. This has seen an evolution from simple pseudo-RAT to full-featured RAT malware, targeting and focused on the Android market.
Remote Access Trojans provide cybercriminals with complete access to a victim’s infected endpoint. Using stolen access privileges, they can access and steal sensitive business and personal data including Intellectual Property (IP), Personal Identifiable Information (PII), and Patient Health Information (PHI).
Several Advanced Persistent Threat (APT) attacks take advantage of RAT technology in order to bypass strong authentication, spreading the infection, and accessing sensitive applications to exfiltrate data.
Moreover, once a RAT infects a device the cybercriminal gets the ability to control the device from a comfortable and remote backend control panel.
For these reasons, RAT attacks are extremely dangerous since they tend to attack the weakest link of the chain. These attacks are designed to be scalable and can be customized to fit the target.
THE CASE OF ANUBIS
A peculiar example of this technology we observed in 2018 is Anubis. This software is able to provide full remote control through a friendly web user interface and trigger malevolent capabilities such as keylogging, overlaying on apps, process monitoring, SMS and phone call hijacking, push notification forgery, device content encryption (as ransomware would do).
And that’s only half!
It can also intercept data from the camera along with GPS and microphone signals plus controlling the browser components and gathering permissions on-the-fly to gain access to the device’s contacts!
This Anubis example enables us to quickly understand the variety of attacks that a cybercriminal could perform from such a tool and ranging from targeted spying to large scale ransomware or financial apps overlay campaigns.
The XTN team believe that antivirus tools are simply not enough to protect your services within the consumer’s context. You are just delegating the mitigation of the threat to users who are often not savvy enough to understand the dangers.
Given this fact, XTN has designed a behavioural malware engine capable of detecting threats even without knowledge of specific samples.
We moved from the usual signature-based detection to a behavioural-based engine because we have proven successful in many circumstances such as:
• Protecting against new brands and unimagined types of malware attacks;
• Detecting an individual instance of malware targeting a specific person or organization;
• Identifying malware acting within a particular environment, even without having to analyze that particular instance;
Obtaining comprehensive information about the malware, which is crucial for analysts to understand the possible range of impacts.
This engine is integrated with SEAP® and is part of our Cognitive Security Platform®, designed to protect your mobile app from the inside and modeled with advanced machine learning algorithms and implemented as a result of long-term business intelligence tasks.