Remote Access Trojan (RAT) Targets Windows Environments
The latest RAT (Remote Access Trojan) targets Windows machines, bypassing security measures like antivirus and built-in security enhancements in Windows. Dubbed ‘Moker,’ the RAT can take screenshots, record web traffic, monitor keystrokes, export files and inject malicious code into different system processes, according to the security company enSilo.
Moker can create new user accounts with administrative rights, open a Remote Desktop Protocol (RDP) channel, and gain control over a victim’s device. Named after the file description the malware author gave to the executable file, Moker can also get system privileges, accessing settings by passing as a legitimate operating system process.
The malware can also be controlled remotely via VPN using a legit set of user credentials or locally using a control panel, without the need for a command and control server or even an Internet connection.
Getting Privileged Access
But how does the malware bypass Window’s security? Moker exploits a few loopholes and design flaws in Windows controls - not vulnerabilities, but features that are abused by attackers, as a more technical overview from BreakingMalware.com explained.
Window’s User Account Control (UAC) is a security feature that pops up a dialog box and prompts a user whenever a program requests elevated privileges, requiring Administrator rights. Moker was able to gain privileges without user consent by leeching onto other programs that were the exception to the UAC security control.
The Microsoft System Preparation Tool (Sysprep) is one example of a program that is always granted permission without user prompts. Sysprep allows you to install Windows operating systems with minimal intervention by admins or technicians; typically used during large-scale rollouts when it would take too much time and resources to have someone manually install an OS on each desktop.
Windows also enables loading unauthorized DLLs (dynamic link libraries) by authorized applications - a design flaw found in the way Windows loads DLLs upon request. Some DLLs are always loaded from the system directory regardless of any other duplicate DLLs found in its own path.
One DLL that doesn’t follow this restriction is ActionQueue.dll. To bypass Windows security, Moker writes a file named ActionQueue.dll in the Sysprep directory, then runs Sysprep so that the DLL can run with elevated privileges.
Screenshot of Sysprep file from BreakingMalware.com
Securing Your VPNs and Windows Logins
To prevent an attacker from logging in to manage the malware remotely, deploying two-factor authentication on your VPN or Windows machines can effectively stop criminals from using stolen credentials to log into your network.
Two-factor authentication can help secure your Windows’ workstations and servers from unauthorized access, as it requires two different methods of verifying your identity when logging into your accounts.
Duo Security provides a two-factor integration for Windows Remote Desktop Protocol for both RDP and local console logins for versions of Windows, including Vista, Windows 10 clients and Windows server operating systems from 2008 to 2012 R2.
Duo also provides security for other Microsoft applications and services, including Outlook Web Access (OWA), TMG (Threat Management Gateway), Azure AD and Office 365 web clients.
Learn how to protect against remote access attacks by downloading The Essential Guide to Securing Remote Access.
In this guide, we’ll explore:
- VPN (Virtual Private Network) and cloud security concerns
- How to meet compliance regulations and secure remote access
- How two-factor authentication can help mitigate risk and avoid an expensive data breach