Experts from security firm Trend Micro have identified a new Remote Access Trojan (RAT). It’s called BKDR_RARSTONE.A and it employs some interesting techniques to infect a machine.
RATs such as PlugX are often used by cybercriminals in advanced persistent threat (APT) campaigns. Such pieces of malware are dangerous because once they infect a machine, they allow their master to perform all sorts of malicious tasks.
BKDR_RARSTONE.A is similar to PlugX because it also loads the backdoor component in memory. However, according to Trend Micro Threat Researcher Abraham Camba, it also has some clever techniques of its own.
The RAT is apparently distributed via spear phishing emails that carry a malicious .doc file. The innocent-looking file drops and executes BKDR_RARSTONE.A.
The RAT drops a .exe file, which it executes, and a .dat file that contains malware routines. The malware opens a hidden Internet Explorer process which it injects with code acquired from the .dat file.
“As with PlugX, the injected code decrypts itself in memory. Once decrypted it ‘downloads’ a .DLL file from its C&C server and again loads it in the memory space of the hidden Internet Explorer process. This ‘downloaded’ file is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection ineffective,” Camba explained.
In order to gain access to information on installed applications and data on how to uninstall certain pieces of software – such as antiviruses –, BKDR_RARSTONE.A has the ability to access Uninstall Registry Key entries.
It’s also worth noting that the RAT uses SSL for communications. This ensures that the data transferred between the infected host and the command and control server is encrypted.
It also ensures that the traffic it generates blends in with normal traffic.
Trend Micro notes that RATs such as BKDR_RARSTONE are a clear indicator that cybercriminals are always working on improving their malicious creations.