Detecting Remote Access Trojan (RAT) Attacks based on Different LAN Analysis Methods
Received: 17 July 2024 | Revised: 1 August 2024 | Accepted: 11 August 2024 | Online: 6 October 2024
Corresponding author: Salar Jamal Rashid
Abstract
Cyberattacks aim to access confidential information or disrupt system functionality. These days, they can take the form of attacks that give the attacker complete control over the victim's computer. Remote Access Trojans (RAT) are malware designed for these purposes. RAT gives an attacker direct access to a victim's computer and allows him to interact with the victim to steal confidential information, spy on him in real time, or interact directly with him through a dialogue box. RATs are used for information theft, surveillance, and extortion of victims. This study installed multiple virtual machines as a prototype for both the attacker and the victim, interconnected on a Local Area Network (LAN). RAT installations were explored using Mega RAT version 1.5 Beta. Ultimately, various RAT attacks were executed on target machines, and a range of static and dynamic analysis tools were employed to identify RAT. The scenarios implemented on the LAN demonstrated that RATs can be built and used with ease. Furthermore, their attacks can be identified through static or dynamic analysis using various freely available tools. The findings show that the static detection approach to identify RAT malware is more user-friendly compared to dynamic methods. However, dynamic detection can be easily performed using cost-free software.
Keywords:
Trojan, RAT, Mega RAT, VMWare, WiresharkDownloads
References
K. S. Yin, "Network Behavioral Analysis for Detection of Remote Access Trojans," Ph.D. dissertation, University of Computer Studies, Yangon, Myanmar, 2019.
V. Valeros and S. Garcia, "Growth and Commoditization of Remote Access Trojans," in 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, Sep. 2020, pp. 454–462.
K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor, "Hardware Trojans: Lessons Learned after One Decade of Research," ACM Transactions on Design Automation of Electronic Systems, vol. 22, no. 1, Feb. 2016.
I. Androulidakis and G. Kandus, "Mobile Phone Brand Categorization vs. Users’ Security Practices," Engineering, Technology & Applied Science Research, vol. 1, no. 2, pp. 30–35, Apr. 2011.
B. N. Bukke, K. Manjunathachari, and S. Sabbavarapu, "Implementation of a Finite Impulse Response Filter using PUFs to Avoid Trojans," Engineering, Technology & Applied Science Research, vol. 13, no. 6, pp. 12151–12157, Dec. 2023.
A. Alshammari, "A Novel Security Framework to Mitigate and Avoid Unexpected Security Threats in Saudi Arabia," Engineering, Technology & Applied Science Research, vol. 13, no. 4, pp. 11445–11450, Aug. 2023.
M. A. Hashim et al., "Digital Forensic Investigation of Trojan Attacks in Network using Wireshark, FTK Imager and Volatility," Journal of Computing Research and Innovation, vol. 2, no. 2, pp. 60–65, Jun. 2017.
A. M. Taib and N. N. K. A. Azman, "Experimental Analysis of Trojan Horse and Worm Attacks in Windows Environment," Journal of Advanced Research in Computing and Applications, vol. 13, no. 1, pp. 1–9, 2018.
S. Mirdul, "A Study on RAT (Remote Access Trojan)," Academic Journal of Forensic Sciences, 2019.
D. Aprilliansyah, I. Riadi, and Sunardi, "Analysis of Remote Access Trojan Attack using Android Debug Bridge," IJID (International Journal on Informatics for Development), vol. 10, no. 2, pp. 102–111, 2021.
A. H. Hendrawan, R. Kurniawan, A. J. Aprian, D. Primasari, and M. Subchan, "Enhancing Cybersecurity Through Live Forensic Investigation of Remote Access Trojan Attacks using FTK Imager Software.," International Journal of Safety & Security Engineering, vol. 14, no. 1, 2024.
M. N. Kondalwar and C. J. Shelke, "Remote Administrative Trojan/Tool (RAT)," International Journal of Computer Science and Mobile Computing, vol. 3, no. 3, pp. 482–487, Mar. 2014.
L. Fu, "Design of Hidden Communication Remote Monitoring Based on C / C MFC," in 2019 4th International Conference on Mechanical, Control and Computer Engineering (ICMCCE), Hohhot, China, Oct. 2019, pp. 589–5892.
I. Kennedy, A. Bandara, and B. Price, "Towards Increasing Trust In Expert Evidence Derived From Malware Forensic Tools." arXiv, Oct. 14, 2020.
C. Wuest, "Advanced communication techniques of remote access trojan horses on Windows operating system GSEC Practical v1. 4b (option 1)," 2004.
A. Spalka, A. B. Cremers, and H. Langweg, "The fairy tale of what you see is what you sign - trojan horse attacks on software for digital signatures," in Proceedings of the IFIP WG, 2001, vol. 9, no. 11.7, pp. 75–86.
Q. A. Al-Gburi and M. A. Mohd Ariff, "Dynamic Security Assessment for Power System Under Cyber-Attack," Journal of Electrical Engineering & Technology, vol. 14, no. 2, pp. 549–559, Mar. 2019.
S. Gadhiya, K. Bhavsar, and P. D. Student, "Techniques for malware analysis," International Journal of Advanced Research in Computer Science and Software Engineering, vol. 3, no. 4, 2013.
M. Mohd Saudi, A. M. Abuzaid, B. M. Taib, and Z. H. Abdullah, "Designing a New Model for Trojan Horse Detection Using Sequential Minimal Optimization," in Advanced Computer and Communication Engineering Technology, 2015, pp. 739–746.
C. Jin, X. Y. Wang, and H. Y. Tan, "Dynamic Attack Tree and Its Applications on Trojan Horse Detection," in 2010 Second International Conference on Multimedia and Information Technology, Kaifeng, China, Apr. 2010, vol. 1, pp. 56–59.
Y. Kang, X. Yu, W. Meng, and Y. Liu, "BlockRAT: An Enhanced Remote Access Trojan Framework via Blockchain," in Science of Cyber Security, Matsue, Japan, Aug. 2022, pp. 21–35.
D. Jiang and K. Omote, "An Approach to Detect Remote Access Trojan in the Early Stage of Communication," in 2015 IEEE 29th International Conference on Advanced Information Networking and Applications, Gwangju, Korea (South), Mar. 2015, pp. 706–713.
M. B. Johansen, "Development of a customized remote access trojan (RAT) for educational purposes within the field of malware analysis," M.S. Thesis, Norwegian University of Science and Technology, 2022.
D. Adachi and K. Omote, "A Host-Based Detection Method of Remote Access Trojan in the Early Stage," in Information Security Practice and Experience, Zhangjiajie, China, Nov. 2016, pp. 110–121.
G. Karantzas and C. Patsakis, "An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors," Journal of Cybersecurity and Privacy, vol. 1, no. 3, pp. 387–421, Sep. 2021.
M. Marchetti, F. Pierazzi, M. Colajanni, and A. Guido, "Analysis of high volumes of network traffic for Advanced Persistent Threat detection," Computer Networks, vol. 109, pp. 127–141, Nov. 2016.
N. Nissim et al., "Scholarly Digital Libraries as a Platform for Malware Distribution," in A Systems Approach to Cyber Security, IOS Press, 2017, pp. 107–128.
B. Dang, A. Gazet, and E. Bachaalany, Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation. John Wiley & Sons, 2014.
A. Moser, C. Kruegel, and E. Kirda, "Limits of Static Analysis for Malware Detection," in Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Dec. 2007, pp. 421–430.
L. Caviglione et al., "Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection," IEEE Access, vol. 9, pp. 5371–5396, 2021.
M. Oya and K. Omote, "Early Detection of Remote Access Trojan by Software Network Behavior," in Information Security and Cryptology, Fuzhou, China, Dec. 2018, pp. 658–671.
M. S. Nawaz, P. Fournier-Viger, M. Z. Nawaz, G. Chen, and Y. Wu, "MalSPM: Metamorphic malware behavior analysis and classification using sequential pattern mining," Computers & Security, vol. 118, Jul. 2022, Art. no. 102741.
U. H. Rao and U. Nayak, The InfoSec Handbook: An Introduction to Information Security. Berkeley, CA, USA: Apress, 2014.
A. S. K. Pathan, The State of the Art in Intrusion Prevention and Detection. Auerbach Publications, 2014.
M. Mwita, J. Mbelwa, J. Agbinya, and A. E. Sam, "The Effect of Hyperparameter Optimization on the Estimation of Performance Metrics in Network Traffic Prediction using the Gradient Boosting Machine Model," Engineering, Technology & Applied Science Research, vol. 13, no. 3, pp. 10714–10720, Jun. 2023.
Downloads
How to Cite
License
Copyright (c) 2024 Salar Jamal Rashid, Shatha A. Baker, Omar I. Alsaif, Ali I. Ahmad
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
