In 2023, Remote Access Trojans (RATs) and Trojan Stealers were some of the most prevalent types of malware in the cybersecurity landscape. RATs and Trojan Stealer malware represent significant cybersecurity threats, as they’re often employed to conduct espionage, surveillance, and data theft, which emphasizes the critical need for robust defenses.
Over the course of the year, the Splunk Threat Research Team analyzed and developed analytic stories and security detections for seven well-known and active RAT and Trojan Stealer malware families: Amadey, PlugX, DarkCrystal RAT, AsyncRAT, NJRAT, Warzone (Ave Maria) RAT and DarkGate.
Although these are distinct malware families, that doesn’t mean they don’t have anything in common. After comparing these threats, the Splunk Threat Research Team identified several behavioral and tactical similarities that are worth understanding to help inform future investigations, as well as to help prioritize what security content to implement.
Continue reading for:
In the following section, we provide concise summaries for each malware family, along with MITRE ATT&CK Navigator diagrams showing the related analytic story’s coverage area.
Amadey is trojan malware renowned for its multifaceted capabilities, serving as a tool for espionage, data theft, and unauthorized access. Amadey is among the prevalent forms of malware that utilize Malware as a Service (MaaS) to deliver multiple malwares, updated copies of itself, and various Amadey plugins or attacks designed for information theft. Its functionalities encompass invasive actions, including keylogging, capturing screenshots, and extracting valuable data, such as login credentials and financial information, through browsers for financial gain.
Figure 1: Amadey Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
PlugX, also known as Kaba or Korplug, represents a highly sophisticated RAT characterized by its advanced stealth and extensive espionage capabilities. Primarily attributed to threat actors in East Asia, particularly China, PlugX infiltrates systems to establish covert, persistent access, enabling remote control and data exfiltration. This advanced malware’s functionalities include keylogging, screen capturing, file manipulation, and command execution. Often delivered through targeted spear phishing campaigns or exploited vulnerabilities, PlugX's surreptitious nature allows it to evade detection while facilitating espionage, intellectual property theft, and unauthorized access to sensitive information.
Figure 2: Plugx Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
DarkCrystal RAT is a sophisticated malware that enables cyber attackers to infiltrate target devices through capabilities such as remote host access, file manipulation, keystroke logging, and command execution. DarkCrystal RAT's modularity allows attackers to customize its functionalities, making it adaptable for various malicious purposes, including data theft, surveillance, and further exploitation. Its propagation commonly occurs through phishing emails, exploit kits, or social engineering tactics.
Figure 3: DarkCrystal RAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
AsyncRAT is a popular malware commodity and tool used by attackers and advanced persistent threat (APT) groups. Threat actors and adversaries have used several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns. AsyncRAT allows cyber attackers to infiltrate targeted devices covertly, providing a wide array of capabilities including remote desktop control, file manipulation, keystroke logging, webcam and microphone access, and command execution.
Figure 4: AsyncRAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
NjRAT, short for "Njw0rm Remote Access Tool," is a robust and malicious RAT recognized for its versatile and intrusive capabilities. NjRAT's stealthy operation and ease of customization make it a favored tool in cybercrime, allowing attackers to propagate it through phishing campaigns, removable drives, malicious downloads, or disguised attachments, posing significant risks to individual users and organizations. Its ability to evade traditional security measures by utilizing polymorphic and obfuscation techniques presents challenges in detection and mitigation, emphasizing the critical need for robust cybersecurity measures.
Figure 5: NjRAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
Warzone RAT, also known as AveMaria, is a RAT designed for unauthorized remote access and control over compromised systems. Its functionalities include keystroke logging, file manipulation and browser data exfiltration. Renowned for its stealthy operation, Warzone RAT is deployed through various attack vectors, such as phishing campaigns, deceptive downloads, or disguised attachments, enabling cybercriminals to gain covert access to targeted systems.
Figure 6: Warzone RAT Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
DarkGate malware, initially observed in mid-2021, represents a sophisticated form of malware known for its multifaceted capabilities and its alarming impact on compromised systems. Functioning as a robust information stealer, DarkGate is designed to infiltrate systems stealthily and extract sensitive data, including credentials and personal data. It has been distributed through phishing campaigns and malicious attachments, exploiting vulnerabilities to gain unauthorized access.
Figure 7: DarkGate Detection Coverage
(Click here for a larger version of the diagram and here for the JSON layer used to develop it)
As previously mentioned, the Splunk Threat Research Team has analytic stories for each of the seven malware families described above, which include 123 security detections at the time of writing.
To assist SOC analysts, blue teamers, and security researchers in understanding common MITRE ATT&CK techniques within each malware family, we've grouped all MITRE ATT&CK technique IDs associated with our developed detections. Figures 8.1 and 8.2 reveal similarities and patterns across these techniques, aiding in comprehensive analysis and strategic mitigation efforts.
Figures 8.1 and 8.2 display a summary table detailing techniques relative to their MITRE ATT&CK ID within each malware family. This comprehensive table clarifies which technique IDs cover all or part of the seven malware families, aiding in identifying overlapping patterns and common tactics across these entities.
Figure 8.1: Commonalities by MITRE ATT&CK ID
(For a larger resolution of this diagram visit this link)
Figure 8.2: Commonalities by MITRE ATT&CK ID
(For a larger resolution of this diagram visit this link)
As an illustration, Figure 9 highlights the Splunk security detections that span across all seven malware families. Specifically, it encompasses initial access tactics (T1566.001, T1566), persistence tactics (T1543), defense evasion (T1036), and execution (T1059).
Figure 9: Commonalities by MITRE ATT&CK ID
We've categorized Splunk detections under each MITRE ATT&CK technique ID to assess our detection coverage across the shared IDs among all malware families. Here are our findings based on this analysis.
1. We observed that all seven of these malware families have a track record of leveraging malicious Microsoft Office documents. This includes the use of malicious macro code, attachments such as .CAB or other archive files, exploits targeting Microsoft Office vulnerabilities, and the deployment of malicious .LNK files.
2. Six of the malware families have a detection for commonly abused process file src by several threat actors and adversaries. 1 out 7 (NjRAT) make use of .vbs and .js as part of its loader and execution that lead to suspicious child process execution.
Figure 10: Detection Count and Detection Coverage Per MITRE ATT&CK ID
3. AsyncRAT (seven analytics), DarkCrystalRAT (five analytics), and DarkGate (six analytics) exhibit a substantial number of detections related to execution tactics. These encompass various methods such as batch files, VBScript, JScript, PowerShell, and AutoIt within their detection patterns.
Figure 11: Detection Count and Detection Coverage Per MITRE ATT&CK ID
4. All seven of these malware families dropped files in commonly known folder srcs that were being abused by several threat actors, malware authors and adversaries like “users\public\” , “%temp%” and many more to hide their tracks.
5. Five out seven of these malware (Amadey, AsyncRAT, DarkGate, NjRAT and PlugX) uses persistence through registry entry (T1547.001)
Figure 12: Registry Run Keys Coverage
6. Among the seven identified malware families, four (Amadey, NjRAT, AsyncRAT, and DarkCrystal RAT) employ scheduled tasks for persistence and privilege escalation on compromised hosts. Additionally, a similar subset of 4 (Amadey, DarkGate, NjRAT, and Warzone RAT) possesses the capability to steal browser credentials and other browser sensitive information.
Figure 13: Scheduled Task and Browser Stealer Detection Coverage
We've also conducted an analysis to identify specific Splunk Security detections capable of identifying specific tactics, techniques, and procedures (TTPs) commonly found across all or some of these malware families.
Figure 14: Detection Commonalities power Analytic Story
(For a larger resolution of this diagram visit this link)
The Splunk Threat Research Team has curated analytic stories and tagged them to the malware families (Amadey, PlugX, DarkCrystal RAT, AsyncRAT, NJRAT, Warzone (Ave Maria) RAT and DarkGate) to help security analysts detect these threats or adversaries leveraging these malware families. These analytic stories introduce 123 detections across MITRE ATT&CK techniques.
For these analytic stories, we used and considered the relevant data endpoint telemetry sources such as:
The Splunk Threat Research Team aims to enable security analysts, blue teamers and Splunk customers to address top RATs and Trojan Stealer in the wild. This blog provides the community with tools to discover TTPs related to these threats and apply analytic detections that can detect a subset or all of these malware families. This blog also provides more insight into the commonalities between these seven malware families in terms of TTPs.
By understanding the behaviors and key indicators of these malware families, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detection analytics designed to defend and respond against these types of threats.
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
For a full list of security content, check out the release notes on Splunk Docs.
Here is a list of Splunk Threat Research Team blogs specifically dedicated to the analysis of each RAT and Trojan Stealer:
Malware Family | Splunk Blogs Link |
---|---|
DarkCrystal RAT | Dark Crystal RAT Agent Deep Dive |
AsyncRAT | AsyncRAT Crusade: Detections and Defense |
Amadey | Amadey Threat Analysis and Detections |
Warzone(AVE maria) RAT | Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT |
NJRAT | More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities |
PlugX | Unmasking the Enigma: A Historical Dive into the World of PlugX Malware |
DarkGate | Enter The Gates: An Analysis of the DarkGate AutoIt Loader |
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions, including Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.