A Remote Access Trojan (RAT) is a type of malware that allows for remote, unauthorized surveillance, complete access, and administrative control of an infected system. This type of malware can perform a wide array of malicious behaviors. Some of these behaviors may include installing malicious programs, reading data inputs from keyboards, scraping login credentials, or hijacking webcam feeds.
RATs may also compromise other systems by impersonating previously infected systems. RATs are well known for their adaptability, longevity, and overall malicious potential.
As in the case of most malware types, RATs often infect systems by hiding within seemingly legitimate files such as email attachments, download packages, applications, or web links. When a user opens these files, the hidden RATs will install themselves on the victim’s system.
Upon installation, RATs will establish a connection with a remote command-and-control server by exploiting open TCP ports on the victim’s machine. Once this remote connection is established, attackers have full administrative control of the infected system.
Once a machine is infected, RATs are known to be particularly difficult to detect. In some cases, RATs have been able to hide for years. RATs are particularly adept at hiding because they generally do not exhibit the typical destructive behaviors of other, more easily detected types of malware.
RAT precursors can be traced back to the late 1980s with the advent of early, legitimate remote access software programs, such as NetSupport. By the late 1990s, remote access software was commonplace, and so were RATs.
Certain early internet users employed remote access software for lighthearted pranks by making target mouse pointers behave strangely, ejecting CD trays at random, or turning desktop backgrounds upside-down. It wasn’t long, however, before more malicious versions of remote access software began to appear. NokNok was among the first true RATs and one of the most iconic. NokNok was quickly followed by others, including D.I.R.T., SubSeven, Poison Ivy, NetBus, and Black Orifice.
Rather than having declined in relevancy over time, legacy RATs are continuously spotted in the wild, and new variations appear frequently. Early RATs were produced almost exclusively for Windows operating systems, but modern RATs have also been detected on Mac, Linux, and Android operating systems. RATs remain a potent and considerable cyber threat, and they are frequently employed not only by cybercriminals of all stripes, but increasingly by larger, more organized groups and nation-states as well.