Another Year of RATs and Trojan Stealer: Detection Commonalities and Summary

In 2023, Remote Access Trojans (RATs) and Trojan Stealers were some of the most prevalent types of malware in the cybersecurity landscape. RATs and Trojan Stealer malware represent significant cybersecurity threats, as they’re often employed to conduct espionage, surveillance, and data theft, which emphasizes the critical need for robust defenses.

Over the course of the year, the Splunk Threat Research Team analyzed and developed analytic stories and security detections for seven well-known and active RAT and Trojan Stealer malware families: Amadey, PlugX, DarkCrystal RAT, AsyncRAT, NJRAT, Warzone (Ave Maria) RAT and DarkGate.

Although these are distinct malware families, that doesn’t mean they don’t have anything in common. After comparing these threats, the Splunk Threat Research Team identified several behavioral and tactical similarities that are worth understanding to help inform future investigations, as well as to help prioritize what security content to implement.

Continue reading for:

• An overview of each malware family
• A summary of the behavioral and tactical similarities we identified through our comparison
• A list of Splunk security detections you can use to detect multiple threats at once

An Overview of the Malware Families

In the following section, we provide concise summaries for each malware family, along with MITRE ATT&CK Navigator diagrams showing the related analytic story’s coverage area.

Amadey

Amadey is trojan malware renowned for its multifaceted capabilities, serving as a tool for espionage, data theft, and unauthorized access. Amadey is among the prevalent forms of malware that utilize Malware as a Service (MaaS) to deliver multiple malwares, updated copies of itself, and various Amadey plugins or attacks designed for information theft. Its functionalities encompass invasive actions, including keylogging, capturing screenshots, and extracting valuable data, such as login credentials and financial information, through browsers for financial gain.

^{Figure 1: Amadey Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

PlugX

PlugX, also known as Kaba or Korplug, represents a highly sophisticated RAT characterized by its advanced stealth and extensive espionage capabilities. Primarily attributed to threat actors in East Asia, particularly China, PlugX infiltrates systems to establish covert, persistent access, enabling remote control and data exfiltration. This advanced malware’s functionalities include keylogging, screen capturing, file manipulation, and command execution. Often delivered through targeted spear phishing campaigns or exploited vulnerabilities, PlugX's surreptitious nature allows it to evade detection while facilitating espionage, intellectual property theft, and unauthorized access to sensitive information.

^{Figure 2: Plugx Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

DarkCrystal RAT

DarkCrystal RAT is a sophisticated malware that enables cyber attackers to infiltrate target devices through capabilities such as remote host access, file manipulation, keystroke logging, and command execution. DarkCrystal RAT's modularity allows attackers to customize its functionalities, making it adaptable for various malicious purposes, including data theft, surveillance, and further exploitation. Its propagation commonly occurs through phishing emails, exploit kits, or social engineering tactics.

^{Figure 3: DarkCrystal RAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

AsyncRAT

AsyncRAT is a popular malware commodity and tool used by attackers and advanced persistent threat (APT) groups. Threat actors and adversaries have used several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns. AsyncRAT allows cyber attackers to infiltrate targeted devices covertly, providing a wide array of capabilities including remote desktop control, file manipulation, keystroke logging, webcam and microphone access, and command execution.

^{Figure 4: AsyncRAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

NjRAT

NjRAT, short for "Njw0rm Remote Access Tool," is a robust and malicious RAT recognized for its versatile and intrusive capabilities. NjRAT's stealthy operation and ease of customization make it a favored tool in cybercrime, allowing attackers to propagate it through phishing campaigns, removable drives, malicious downloads, or disguised attachments, posing significant risks to individual users and organizations. Its ability to evade traditional security measures by utilizing polymorphic and obfuscation techniques presents challenges in detection and mitigation, emphasizing the critical need for robust cybersecurity measures.

^{Figure 5: NjRAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

Warzone (AveMaria) RAT

Warzone RAT, also known as AveMaria, is a RAT designed for unauthorized remote access and control over compromised systems. Its functionalities include keystroke logging, file manipulation and browser data exfiltration. Renowned for its stealthy operation, Warzone RAT is deployed through various attack vectors, such as phishing campaigns, deceptive downloads, or disguised attachments, enabling cybercriminals to gain covert access to targeted systems.

^{Figure 6: Warzone RAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

DarkGate

DarkGate malware, initially observed in mid-2021, represents a sophisticated form of malware known for its multifaceted capabilities and its alarming impact on compromised systems. Functioning as a robust information stealer, DarkGate is designed to infiltrate systems stealthily and extract sensitive data, including credentials and personal data. It has been distributed through phishing campaigns and malicious attachments, exploiting vulnerabilities to gain unauthorized access.

^{Figure 7: DarkGate Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)}

Commonalities by MITRE ATT&CK ID

As previously mentioned, the Splunk Threat Research Team has analytic stories for each of the seven malware families described above, which include 123 security detections at the time of writing.

To assist SOC analysts, blue teamers, and security researchers in understanding common MITRE ATT&CK techniques within each malware family, we've grouped all MITRE ATT&CK technique IDs associated with our developed detections. Figures 8.1 and 8.2 reveal similarities and patterns across these techniques, aiding in comprehensive analysis and strategic mitigation efforts.

Figures 8.1 and 8.2 display a summary table detailing techniques relative to their MITRE ATT&CK ID within each malware family. This comprehensive table clarifies which technique IDs cover all or part of the seven malware families, aiding in identifying overlapping patterns and common tactics across these entities.

^{Figure 8.1: Commonalities by MITRE ATT&CK ID
(For a larger resolution of this diagram visit this link)}

^{Figure 8.2: Commonalities by MITRE ATT&CK ID
(For a larger resolution of this diagram visit this link)}

As an illustration, Figure 9 highlights the Splunk security detections that span across all seven malware families. Specifically, it encompasses initial access tactics (T1566.001, T1566), persistence tactics (T1543), defense evasion (T1036), and execution (T1059).

^{Figure 9: Commonalities by MITRE ATT&CK ID}

We've categorized Splunk detections under each MITRE ATT&CK technique ID to assess our detection coverage across the shared IDs among all malware families. Here are our findings based on this analysis.

1. We observed that all seven of these malware families have a track record of leveraging malicious Microsoft Office documents. This includes the use of malicious macro code, attachments such as .CAB or other archive files, exploits targeting Microsoft Office vulnerabilities, and the deployment of malicious .LNK files.

2. Six of the malware families have a detection for commonly abused process file path by several threat actors and adversaries. 1 out 7 (NjRAT) make use of .vbs and .js as part of its loader and execution that lead to suspicious child process execution.

^{Figure 10: Detection Count and Detection Coverage Per MITRE ATT&CK ID}

3. AsyncRAT (seven analytics), DarkCrystalRAT (five analytics), and DarkGate (six analytics) exhibit a substantial number of detections related to execution tactics. These encompass various methods such as batch files, VBScript, JScript, PowerShell, and AutoIt within their detection patterns.

^{Figure 11: Detection Count and Detection Coverage Per MITRE ATT&CK ID}

4. All seven of these malware families dropped files in commonly known folder paths that were being abused by several threat actors, malware authors and adversaries like “users\public\” , “%temp%” and many more to hide their tracks.

5. Five out seven of these malware (Amadey, AsyncRAT, DarkGate, NjRAT and PlugX) uses persistence through registry entry (T1547.001)

^{Figure 12: Registry Run Keys Coverage}

6. Among the seven identified malware families, four (Amadey, NjRAT, AsyncRAT, and DarkCrystal RAT) employ scheduled tasks for persistence and privilege escalation on compromised hosts. Additionally, a similar subset of 4 (Amadey, DarkGate, NjRAT, and Warzone RAT) possesses the capability to steal browser credentials and other browser sensitive information.

^{Figure 13: Scheduled Task and Browser Stealer Detection Coverage}

Commonalities by Analytic Detections

We've also conducted an analysis to identify specific Splunk Security detections capable of identifying specific tactics, techniques, and procedures (TTPs) commonly found across all or some of these malware families.

• Executables Or Script Creation In Suspicious Path is an anomaly detection that can be a good pivot for all of these seven malware families. This detection looks for creation of files in a folder path that is known to be being abused by threat actors and adversaries.
• Suspicious Process File Path and the hunting search CMD Carry Out String Command Parameter can detect six out seven malware families. This search looks for known process file paths that are being abused by several threat actors and the execution of “/c” parameter in cmd MS-DOS command. This parameter is commonly seen in adversaries and malware to execute batch file or PowerShell commands.
• Five out of seven malware families can be detected by the Registry Keys Used For Persistence TTP detection, which looks for modification of registry keys to gain persistence and execution during startup process.
• Four out of the seven malware families have been identified for stealing information from Chrome browsers. This activity can be detected through analytics such as Windows Credentials from Password Stores Chrome Login Data Access and Windows Credentials from Password Stores Chrome LocalState Access. These analytics monitor non-Chrome processes attempting to access Chrome's password store databases. Additionally, the same subset of four malware families utilizes scheduled tasks for persistence and privilege escalation, detectable through analytics like Scheduled Task Deleted Or Created via CMD.
• Interestingly, three out seven malware families try to boot or shutdown the compromised host that can be detected by Windows System Reboot CommandLine and Windows System Shutdown CommandLine. These two detections look for the execution of shutdown.exe Windows application to shutdown or reboot the system. Also three of these malware families try to manipulate the access token of its process to gain SeDebugPrivileges that can be detected by Windows Access Token Manipulation SeDebugPrivilege.

^{Figure 14: Detection Commonalities power Analytic Story
(For a larger resolution of this diagram visit this link)}

Detections

The Splunk Threat Research Team has curated analytic stories and tagged them to the malware families (Amadey, PlugX, DarkCrystal RAT, AsyncRAT, NJRAT, Warzone (Ave Maria) RAT and DarkGate) to help security analysts detect these threats or adversaries leveraging these malware families. These analytic stories introduce 123 detections across MITRE ATT&CK techniques.

For these analytic stories, we used and considered the relevant data endpoint telemetry sources such as:

• Process Execution & Command Line Logging
• Windows Security SACL Event ID, Sysmon, or any Common Information Model-compliant EDR technology
• Windows Security Event Log
• Windows System Event Log
• Windows PowerShell Script Block Logging

Why Should You Care?

The Splunk Threat Research Team aims to enable security analysts, blue teamers and Splunk customers to address top RATs and Trojan Stealer in the wild. This blog provides the community with tools to discover TTPs related to these threats and apply analytic detections that can detect a subset or all of these malware families. This blog also provides more insight into the commonalities between these seven malware families in terms of TTPs.

By understanding the behaviors and key indicators of these malware families, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detection analytics designed to defend and respond against these types of threats.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Here is a list of Splunk Threat Research Team blogs specifically dedicated to the analysis of each RAT and Trojan Stealer:

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions, including Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.