Symantec Finds a RAT Going After U.S., UK and India SMBs

A social engineering-based attack tricks users, resulting in a remote access Trojan, or RAT, infection.

remote access Trojan

Security firm Symantec issued a warning today about an ongoing attack against small and midsize businesses in the United States, United Kingdom and India that is infecting users with a remote access Trojan (RAT).

A RAT enables an attacker to have remote access to a victim's machine and can lead to information disclosure and financial loses. According to Symantec's research, the campaign makes use of the Backdoor.Breut and Trojan.Nancrat RAT tools and has been active since the beginning of 2015.

"The attack is one among many detected by Symantec daily," Symantec researcher Gavin O'Gorman told eWEEK. "It was brought to our attention by a customer request."

According to O'Gorman, Symantec has observed hundreds of distinct machines compromised by this attack. Fifty-six percent of the victims identified by Symantec are in India, with 23 percent in the U.S. and 21 percent in the UK.

The mechanics of the attack are relatively simple, yet effective. The attackers send phishing emails with some form of financial-related titles, such as payment advice, request for quotation and payment remittance. The phishing emails are sent from either stolen or spoofed email accounts that aim to trick potential victims. The emails contain a simple file attachment that is often compressed in the .ZIP format. Once the victim clicks on the file, the impacted system is compromised by one of the RATs.

"The victim has to open the attachment in the email and execute the file to become infected," O'Gorman said.

Once a system is infected, Symantec's research has found that the attackers can take control of it and transfer money from the victim's account.

The RAT campaign is not being driven by an exploit kit such as Angler, and no zero-day exploit is being used, O'Gorman noted. He added that users with a fully patched system and up-to-date antivirus product should be protected.

"While advanced attack groups attract a lot of attention in the news, we'd like to remind businesses that less skilled attackers can still cause major damages to a targeted company," O'Gorman said.

Symantec is not taking any specific technical or law enforcement actions to try to stop the RAT campaign either.

"Law enforcement was not notified because publication of an attack is often an effective method for stopping the activity," O'Gorman said.

Since the beginning of the Internet era, security professionals have been advising IT users not to click on suspicious links and to keep systems updated with modern antivirus tools. Still, phishing campaigns continue to be successful. O'Gorman noted that based on campaigns run by Symantec's Phishing Readiness technology, on average, employees are susceptible to email-based attacks 18 percent of the time. The Phishing Readiness technology is a service that enables organizations to conduct simulated phishing attacks to test user reactions to potential attacks.

"Businesses need to better educate employees to always exercise caution and to not open attachments or click on links in suspicious email," O'Gorman said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.