How to spot a digital RAT

By SW Regional Cyber Crime Unit - 19th August 2020

SW Regional Cyber Crime Unit offers the following advice on spotting current cyber threats:

Remote Access Trojan (RAT)
A tool used to enable criminals to connect to a victim's machine remotely and perform a number of unauthorised actions. 

A RAT can allow attackers to access all files, features of your computer (e.g. microphone/webcam), and even use your computer to distribute malicious software to other devices. Criminals have even used RATs to install cryptomining software, which then uses a device's processing power to generate cryptocurrency.

Remote access tools are used legitimately by IT professionals to perform maintenance on machines. However, the type of tools used to gain unauthorised access on victims' devices are often designed to aid malicious intent. For example, these tools don't request permission on the accessed device. They tend not to notify a user that the service is running, and any command interfaces are generally hidden. 

Law enforcement has recently been successful in the takedown of RATs, however there are always new tools being developed to be wary of.

Signs of a RAT on your system include a slow internet connection, unknown processes running on your systems, and files that have been modified/deleted/installed without permission. Here is some advice to protect against this type of attack:

> Updates
Make sure that software and operating systems on your computers/laptops/phones/tablets/IoT devices are updated with the latest security patches.

> Antivirus
Install reliable antivirus software, and keep this updated! 

> Firewalls
Firewalls act as a filter for malicious traffic. Make sure that your firewalls are set up and configured correctly (check with your IT provider if you're not responsible for this). 

> Restricting access and permissions 
Restrict users' ability (permissions) to install and run unwanted software applications, as well as their access to sites with unfavourable content. 

> Phishing 
Always be careful when being asked to click on links or downloading attachments from emails/websites/social media. More information on defending against phishing attacks can be found on the NCSC site at 
https://www.ncsc.gov.uk/guidance/phishing

> Exercise caution when using removable media
USB thumb drives, external drives, CDs - these can all be used to infect devices with malicious software. Ideally you should have a policy in place governing how these are verified/used in the workplace. 

> Monitoring 
If available to you, using detection systems on devices or entire networks can alert teams to suspicious behaviour, increasing the chances of spotting malicious software at work. This is especially relevant for larger organisations. The NCSC's recently updated 'Logging made easy' project may be a useful resource here, available at https://www.ncsc.gov.uk/blog-post/logging-made-easy

> Reporting
If you think you have been a victim of cyber crime, we always encourage victims to report the incident to Action Fraud via phone (0300 123 2040) or website at https://www.actionfraud.police.uk

You can now also report phishing emails to the NCSC's Suspicious Reporting Service at '[email protected]' - (more information at 
https://www.ncsc.gov.uk/information/report-suspicious-emails)

News on a mobile illustration