Skip navigation

You Built a Better Mousetrap? They Built Better RATs

Earlier this month, we tasked Kyle from our Research and Development team with covering some common themes discussed at Black Hat and DEF CON. We want to bring these issues to both the security community that was in Vegas at the cons and those who kept an eye on the action from the outside.

“2015 will be the Year of the Remote Access Trojan (RAT),” predicted Gary Miliefsky, CEO of SnoopWall. Remote Access Trojans (RATs) have traditionally been known as tools that perform tasks such as installing additional malware or stealing files from an infected computer. They are often bundled with enticing software like free games or system utilities. RATs are nothing new, but their usage and related attack methods have changed recently in interesting ways.

RATs have seen a marked increase in usage against individuals rather than corporate interests. Due to the ease in distributing RAT software alongside legitimate (or legitimate-looking) software, it takes little effort to gain access to hundreds of devices. This is helped by the prevalence of tutorials on message boards and YouTube explaining how to quickly get started as a user of RATs.

An attacker’s view of a woman sleeping through her webcam An attacker’s view of a woman sleeping through her webcam — Sydney Morning Herald

Once the user takes the bait, the RAT hides itself and reports back to the attacker, or “RATter”, as they call themselves. If the device has an embedded camera or an attached webcam, a common tactic of RATters is to take photos surreptitiously. The embedded LEDs that indicate webcam usage do create the risk of discovery for amateur RATters. More experienced attackers (or sophisticated toolkits, since RATters rarely write their own tools) can often configure the camera to disable the LED or by patching the firmware. I wrote about Ken Westin’s work in a post earlier this week, and he uses similar techniques to try to grab photos of the criminals he’s pursuing.

Of course, there’s always a webcam privacy solution for the paranoid:

A laptop camera with tape over the camera
notANON — Geordy Rostad

This ecosystem also includes people who are willing to pay for devices infected with RATs, which has fueled the growth of this underground activity. An easy means to monetize photos taken is to catch subjects in compromising positions and then extort them, a tactic referred to as “sextorting”.

A poster at Hack Forums offers $5 for RATted devices belonging to women and $1 for menDigital Citizens Alliance

One prominent example of this was Cassidy Wolf, winner of the 2013 Miss Teen USA competition. Her case is only known because she stood up to the extortion attempts and pursued her attacker, Jared James Abrahams, aka “cutefuzzypuppy”, through the criminal justice system. Abrahams has since been sentenced to federal prison time, but it took substantial time and energy to get the FBI to determine what happened and figure out how to track him down, something that many victims don’t try, often because they’re so embarrassed. An advocacy group, Digital Citizens Alliance, is working to raise awareness and lobbying for laws to protect ordinary citizens from these attacks.

Digital Citizens Alliance issued a comprehensive report, “Selling ‘Slaving,’” on the topic of RAT attacks on consumers.

Keylogger, Video, Mouse — How To Turn Your KVM Into a Raging Keylogging Monster

At DEF CON two weeks ago, Yaniv Balmas (@ynvb) and Lior Oppenheim (@oppenheim1) presented a means of remote access that, while not spreading via Trojan, still allowed an attacker to control a secure, airgapped computer. For this attack to be possible, both the secure computer and an insecure one have to be connected to the keyboard-video-mouse switch (KVM). Given that KVM switches use combinations of standard keys to communicate commands, they have to process the keystrokes, which suggests that there’s software running.

The researchers were able to deobfuscate the KVM’s firmware and patch it with a modified version. The new firmware enables a malware-infested insecure computer to send a malicious program to the secure one by tediously sending tiny amounts of data through at a time via the very limited storage in the KVM, at which point, the KVM would then send the data as though the user had actually typed. This does require some substantial amount of access to the device, though some KVMs are on the Internet and open, and they apparently accept firmware upgrades from this Internet-accessible console.

Balmas and Oppenheim did discuss the means of mitigating this type of attack. One option to protect against attacks that use on-site physical access is to use a much more expensive “Secure KVM” that is protected against electronic eavesdropping (e.g., TEMPEST attacks) and tampering. That doesn’t protect against supply chain attacks, though, where the compromise happens during the manufacturing. Nevertheless, keystroke statistics can still thwart many attacks, even if the KVM shipped in a compromised state, since it’s much harder to get a relatively dumb device like a KVM to type with the cadence and mistakes of a human.

Their talk is covered in more detail by Hackaday.

Remote Access, the APT

So far, I’ve presented only remote access technology that uses malware to spread. At both DEF CON and BSidesLV, Ian Latter (@ILatter) presented ThruGlassXfer (TGXf), a system and an approach that can be used to exfiltrate data from any system where the attacker can type and see output. This includes remote employees who use thin clients or desktop sharing software, like VNC (Virtual Network Computing). Regardless of which particular software is being used for remote access, this attack can discreetly extract data unless every keystroke and display is monitored.

The data receiver in these systems is a camera pointed at the remote screen that reads binary data. Latter devised a protocol that used QR codes as data frames, i.e., layer 2 in the OSI model. Holding a phone up to this screen allows the phone to receive complete files, even if they exceed the capacity of a single QR code. That said, it’s difficult to ensure delivery when the receiver is unable to communicate to the sender, and that results in a few technical problems that Latter demonstrated.

This component, standing alone, requires that a QR code generating program be installed to execute his protocol. An ideal scenario wouldn’t require the user to actually install anything, due to the desire for the activity to not be logged. To resolve this, an attacker needs to send data to the secured machine. ThruKeyboardXfer (TKXf) is an Arduino USB module that presents itself as a Human Interface Device (HID), the generic category for keyboards, mice, trackpads, joysticks and more. The TKXf also has a serial interface that lets the attacker upload either a file or a stream of bytes from an external source, all the while appearing to be just a keyboard that’s sending keystrokes.

The architecture diagram for the duplex TCP stream

With these two fundamental components, Latter builds upon them to establish a full duplex communication link that he used TCP over to establish the familiar stream abstraction for the attacker’s programs. Admittedly, this particular configuration requires root privileges to spin up the PPP daemon.

Given the goal of extracting data without root privileges and access, Latter modifies his approach to instead capture the video feed of a monitor with $120 in equipment. A malicious program then displays the entire file as a large binary image, identical to the QR code approach, except that the decoding here is done offline since everything on the monitor gets captured. This process can upload at 1.3 Mbps. With $30 more in equipment, he demonstrates an upload rate of 4.7 Mbps.

Finally, he replaces that equipment with a 4K HDMI recorder that costs $1,500 and achieves a data rate of 12.1 Mbps. Of course, this only works if the attacker has remote access and also can read sensitive files, but, presumably, cannot download them and thus needs to resort to this approach to extract the sensitive data.

Latter’s presentation of ThruGlassXfer at BSidesLV 2015 is on YouTube.


Remote access should always be a concern of security teams, especially if it’s not permitted. Even if remote access is allowed, security teams need to consider the risks that may introduce. From classic remote-access exploits like Back Orifice (introduced 17 years ago at DEF CON 6) and Sub7 to new attacks that use remote access like TGXf, once an attacker has a way to communicate with the target computer, they can do much more than intended. The only way to mitigate this is with the oft-mentioned “defense in depth” principle: assume that your remote access system isn’t going to prevent illicit data transfer, and protect the next level (sensitive data in this case) independently.

Ian Latter spends the last five minutes of his talk (starting at 33:14) discussing the issues of mitigation and risk management, given that he just demonstrated that any sort of remote access can be exploited. Based on some reasonable assumptions about the value of consumer data, based on previous FTC fines and the speed of the 4K HDMI capture, an attacker could extract 65 million records valued at $5.8 billion in a 24-hour period.

Overall, concerns about protecting data from abuse of remote access should be considered from the angle of minimizing risk rather than protecting everything 100 percent. While these attacks are complex and require a high level of access, the proof of concept proves that it’s definitely possible. Perfect protection of everything simply isn’t realistic in the current security environment. Latter developed a simple risk calculator based on public case studies of cost of records and exfiltration methods. The only pragmatic security strategy is to find an optimal point in the tradeoff between security expense/inconvenience and fines/costs of breaches. Every organization should assume that it will get breached eventually, and it should have a plan for reacting to an incident and recovering as fast as possible.

Kyle Lady

Senior Research and Development Engineer


Kyle is a Senior R&D engineer at Duo, where he harasses everyone for more data to try to satisfy the unquenchable thirst for data that academic research imparted. He has only broken the Internet once.