Hackers often access and control operating systems using remote access Trojans (RATs). Tools like these are available in abundance on the dark market. In this article, I am going to write about six popular breeds of RATs that cybercriminals use in the wild.
Disclaimer: Unauthorized access to computer systems is a criminal offense. This article does not encourage any such actions, and its author does not assume any liability for the actions taken by the reader. The tests outlined below were carried out on virtual machines isolated from real data.
Here is a list of RATs to be reviewed:
- Cerberus
- CyberGate
- DarkComet
- Orcus Rat
- NjRat Danger Edition
- Venom
We will review the following for each:
Features available
- Speed of deployment
- Load on the victim’s computer
- Code protection level
- VirusTotal detection ratio
Pros and cons in general
Now, let us get down to the review.
1) CERBERUS
Interesting or distinctive features
- Language options are available.
- A good range of supported output formats (.pif, .com, .src, .bat, .cmd.)
- Users can add a startup sound (both available by default and from their own list.)
Description
High-speed operation: build creation takes as little as five seconds to complete. The running Trojan consumes 7.3 MB RAM. So, its impact on the CPU is negligible.
Let me add the build to Detect It Easy. This detects Borland Delphi and UPX. Many antivirus suites would flag the infection.
VirusTotal check hits 58 out of 70.
Verdict
Cerberus is going to persist in the target system for a long time. Its ability to change the file extension facilitates its way to the victim.
As for the cons, the Trojan has failed to identify the OS it has compromised. Its detection rate by antivirus tools exceeds reasonable thresholds, so encryption is a must here. The compiler is a bit outdated, and when launched, it suddenly produces a sound. This has nothing to do with silent infiltration.
2) CYBERGATE
Interesting or distinctive features
- Current session data collection.
- Data search across the compromised devices.
- Provides an extended amount of data about the victim.
Description
Launching and persistence routines for this build take about 25 seconds. This is relatively slow if compared to the Cerebrus reviewed earlier. Cybergate creates an excessive load on the system compared to its competitors. Besides, the Trojan creates several processes on startup and is visible in the Task Manager. The consumption rate is 0.1% CPU and 4.2 MB RAM. Drive load is 100 kbps.
Cybergate does not seem to care about shielding itself. The build does not even try to hide an exceptionally large number of libraries and functions. Oddly enough, there is no obfuscation for WinAPI calls.
In the light of the above, the 64/70 (91.4%) VirusTotal detection is not at all surprising. At the same time, only one of the 70 antivirus tools involved (eGambit) proved capable of establishing the exact origin of the virus.
Verdict
True, the build fails wherever it can possibly fail. At the same time, it is as easy as pie and user-friendly. If you are about to get rid of this Trojan, you will face truly little resistance, if any.
3) DARKCOMET
Interesting or distinctive features
- This RAT offers two types of builds (basic and extended.)
- There is a function for connecting sockets.
- Admins can schedule various actions to be performed.
- There is an option of creating a download link for the virus.
Description
Creating the build takes more than a minute, which is way more than usual for such software. Upon its launching, the build consumes 2.7 MB RAM. That is a neat performance as the consumption of other resources tends to zero.
Just like in the cases above, the build is not covered with any protectors or packers. The Import immediately exposes user32.dll, introducing mouse and keybd modules along with the VkKeyScanA function that enables the keylogger to be set up.
VirusTotal check hits 63.
Verdict
Not a single antivirus suite has managed to establish the exact identity of the virus. However, the build has all its components fully exposed, so skilled hackers would not distribute such apps too much. On the other hand, you can enjoy the great customization of this RAT. Besides, the build creation time is excessive.
4) ORCUS RAT
Interesting or distinctive features
- Capable of creating third-party processes to divert attention.
- Should its operation be disrupted, the Trojan can create a respawner.
- Plugins supported.
Description
High-speed operation: its building takes ten seconds. RAM consumption is 15.6 MB, with no extra load on the victim’s computer.
The code is encrypted, but the .NET Framework 2.0 still sticks out.
VirusTotal score 44.
Verdict
The tool is incredibly good, except that it needs to be better encrypted, which is the case with all the other breeds reviewed here. The advantage of using this RAT is a bunch of plugins for enhanced performance. It can hijack a victim’s webcam and broadcast its feed.
Even though a range of antivirus suites detect Orcus Rat, they are a far cry from providing working protection against this threat. Setup takes ages, and the functionality is poor without plugins.
5) NJRAT
Interesting or distinctive features
Switches off if a certain process gets started.
- Streams its victim’s screen.
- Protects reverse port and host.
- The app removal is forbidden.
- Disables Task Manager.
Description
The build setup takes ten seconds, nor more nor less. Load on the compromised system is extremely high: 18% of CPU capacity consumed exposes the virus badly.
This breed is powered by .NET Framework. Many modern viruses stick to it, so nothing is surprising about this.
The Import section provides no meaningful data to process. Well, that is what .NET is meant for.
VirusTotal score 48.
The detection rate for this RAT is lower than for the previous samples. However, it is still too high to launch a large-scale serious attack. Again, this article is meant for demonstration purposes and to discourage any unlawful attacks.
Verdict
The malware stands out as it is well-elaborate, antivirus scanners typically fail to detect it, source code is available on the web, functionality is versatile. Its connection with the C&C server is encrypted, which is another strong point to note.
NjRat’s weak points include, in particular, a relatively high load on the victim’s system and, again, open-source code, which is both advantage and disadvantage. Open code implies antivirus tools can explore and detect the RAT by tracing it back to its source code, which is not the case with closed-source malware. In any case, wannabe hackers would not distribute Trojans of this kind without having them encrypted.
6) VENOM
Interesting or distinctive features
- The build can be uploaded to AnonFile.
- The option of adding an installer that looks like an official release (installation wizard featuring a fake license.)
- The Trojan itself is modifiable.
- Rootkit setup is possible.
- Users can set a nickname for the device compromised by the virus (displayed in the RAT’s GUI.)
Description
The building routine takes roughly 20 seconds to complete. The Trojan uses 9 MB RAM and does not produce any further significant load.
Venom is based on .NET and uses no special obfuscation, but the code is not visible on the fly.
VirusTotal score 47.
Most scanners detect this sample less frequently than NjRat. Meanwhile, encryption for a large-scale campaign is needed.
Verdict
This RAT has the best score among the samples reviewed in this article and is a good choice for a long-term operation. You can easily adjust it to your needs. Venom overruns its competitors in obfuscation as no antivirus can say anything specific about it. The only significant drawback is that Venom is available in the paid version only.
Conclusion
I have reviewed but a minor proportion of the RAT breeds worth considering. There are simply too many of them around. Hackers also modify TeamViewer and AnyDesk clients using the resulting programs as remote access Trojans. If you know a noteworthy RAT that I missed, share it in the comments!
