“RadRAT” Espionage Tool Flushed Out

Bucharest-headquartered cybersecurity company Bitdefender has detected an advanced remote access tool, named RadRAT – which offers full control over seized computers – that it believes to have been unnoticed and operating since at least 2015.

This RAT is used in targeted attacks aimed at exfiltrating information, or monitoring victims in enterprises or large businesses running Windows.A research was conducted by one of our experts, he says, “Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.“In addition to its very powerful data exfiltration mechanisms, RadRAT features extremely interesting lateral movement mechanisms that include Mimikatz-like credentials harvesting from WDigest.dll and kerberos.dll; NTLM hash harvesting from the Windows registry, inspired from the source code of the Mimikatzlsadmp tool; using the infected machine to retrieve a Windows password from the LanMan (LM) hash, by cracking previously sniffed NTLM authentication challenges; an implementation of the Pass-the- Hash attack on SMB connections.”

RadRAT’s current command set supports 92 instructions, some of which are only available to one of the two main components, wrpcs.dll or ntmgr2.dll.These commands can be split into multiple categories. For file or registry operations, for example, the attacker can use these commands to gain specific knowledge about the file layout and registry data of the victim machine or of network connected machines.The attacker has the ability to read any file, list the shares of machines on the network, obtain a list of files inside a directory, or get their sizes. Some advanced commands operate on chunks of larger files, being able to read them, compute and compare hashes of byte sections inside the file, and upload them in case of an unknown hash.