RAT Avoids Detection
Thursday, October 8, 2015 @ 03:10 PM gHale
A piece of malware, called Moker after the file description in its executable file, is a Remote Access Trojan (RAT) that has powerful detection methods, researchers said.
The malware ended up discovered after security firm enSilo found the RAT on the network of one of their customers.
Moker takes complete control of the target machine by creating a new user account and opening a RDP channel to gain remote control of the victim’s device, the researchers said in a blog post.
It tampers with sensitive system files and modifies system-security settings, and injects itself into different system processes. It’s also capable of recording keystrokes, taking screenshots, recording web traffic and exfiltrating files.
“Interestingly, Moker did not necessarily need to be controlled from remote,” the researchers said. “A feature of the RAT includes a control panel that enables the attacker to control the malware locally.”
Moker’s ability to avoid detection includes code packing and a dropper that prepares the machine and defeats sandboxes and they it sends in the encrypted malicious payload. Anti-virus and anti-virtual machine protection is also included, and the malware is capable of bypassing Windows’ User Access Control (UAC) by exploiting a known design flaw.
Ultimately, and unlike most malware, Moker achieves system privileges.