Moker RAT Bypassing Security Measures, Evading Detection

Type threatpost
Reporter Chris Brook
Modified 2015-10-07T17:49:00


Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system.

Experts with the Israeli cyber security start-up enSilo discovered the RAT – which they refer to as Moker – lurking inside one of their customers’ networks but admit they aren’t sure how it got there.

Related Posts

ShadowBrokers’ Leak Has ‘Strong Connection’ to Equation Group

August 17, 2016 , 7:30 am

Academics Devise New Way to Steal Data from Air-Gapped Computers

August 12, 2016 , 11:01 am

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

In fact Yotam Gottesman, a senior security researcher with the firm, believes little was known about the malware until they stumbled upon it, pointing out that Moker hasn’t appeared on VirusTotal yet.

Perhaps that’s because the RAT, which targets Windows machines, is especially skilled when it comes to not getting caught.

According to researchers, Moker can bypass antivirus, sandboxing, virtual machines, and by exploiting a design flaw, User Account Control, the Windows feature that’s supposed to give users a heads up when a program makes a change that requires administrator-level permission. The malware apparently even applies anti-debugging techniques after its been detected to help avoid malware dissection and to further deceive researchers.

“[Moker’s] detection-evasion measures included encrypting itself and a two-step installation,” Gottesman wrote on Tuesday.

“Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.”

Once embedded on a system, the RAT could cause a real headache for users. An attacker could more or less take full control of the device to take screenshots, record web traffic, sniff keystrokes, and exfiltrate files. They could also leverage the malware to create new user accounts, modify system security settings, and inject malicious code during runtime on the machine.

It’s unclear exactly who’s behind the malware – enSilo points out that the malware communicated with a server in Montenegro, a small Balkan nation that borders Serbia and Kosovo – but admits that this was probably done to throw off researchers and law enforcement.

In addition to the measures it takes to avoid detection, another interesting thing about the malware is that it doesn’t necessarily need to communicate with an external command and control server to do its bidding. The malware instead can receive commands locally via a hidden control panel.

The researchers assume the functionality was built into the RAT so an attacker could VPN into the system they’re targeting and pull strings from there, but acknowledge the feature also could’ve been inserted by the author for testing purposes.

While enSilo claims that Moker could have been a one time thing, the firm wouldn’t rule out the possibility that other RATs might borrow similar techniques later down the line.

“This case might have been a dedicated attack,” Gottesman wrote, “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).“