Alán Alcoverro Mar 31, 2020 11 min read

How to stop Remote Access Trojans

Every day, people use their laptops and phones for private tasks, such as online banking, and they input confidential or sensitive information, such as login details and passwords. Here is where Remote Access Trojans (RATs) come into play.

Remote access tools are helpful instruments employed initially by IT professionals as an effective way to solve computer issues remotely. However, fraudsters have unfortunately recognized the potential of this technology as a way to gain access to victims’ devices through the ‘back door’.


What are Remote Access Trojans (RATs)?

Remote Access Trojans (RATs) are authentic-looking applications containing malware that can be accidentally downloaded onto a device. Once downloaded, they provide a way in for cybercriminals which can give them administrative control over the targeted device.


What do RATs look like?

Remote Access Trojans are extremely deceptive, as they sneakily piggyback on legitimate-looking files in order to infiltrate a device. The malware can be accidentally downloaded with a user-requested program, for example, a game or an email attachment, and most RATs will leave no trace of their presence on the device.

They can quietly spy on someone for very long periods of time, which means a user could be infected for years without ever even knowing it.

Once a Remote Access Trojan has infiltrated a computer, the cybercriminal can gain remote access, monitoring or even controlling the device or the network. And once they have this access, there is no limit to what the cybercriminal can do; they have complete, anonymous control.

For example, they can use a keylogger to monitor someone’s typing, finding out passwords and sensitive security information, or look at files containing personal or confidential info. Beware – many Remote Access Trojans have the ability to ‘scrape’ saved and even cached passwords.

And, perhaps scariest of all, RATs are ostensibly spyware, and cybercriminal can use them to secretly activate a device’s microphone or a webcam – listening to or watching a user whenever they like.

As well as targeting Personally Identifiable Information (PII), criminals using a RAT also have the power to wipe an entire hard drive, download illegal content or perform embarrassing and illegal actions online through someone’s computer and in their nam e. Often, they will use a home network as a proxy server to commit crimes anonymously that can’t be traced back to them.


Remote Access Trojans and online banking fraud

RATs are commonly deployed by criminals attempting to commit online banking fraud. This is because they require only minimal technical know-how, meaning that pretty much anyone could hijack an online banking session.

Fraudsters often make use of a Rat-in-the-Browser (RitB), which is a third-generation Trojan attack, that can work alongside a Remote Access Trojan to hijack a session. This works when malware (i..e. a RAT) has already been downloaded onto the user’s device, and automatically alerts the attacker when the legitimate customer is logging into their online bank account.

The attacker can then remotely suspend the user’s session, open up an invisible browser on the victim’s device, and then complete a fraudulent transaction.

RitBs can also facilitate ‘Man-in-the-Middle’ attacks. Having logged in as normal, the user will think they are interacting with the bank. What’s more, the bank’s anti-fraud software will ‘think’ it is interacting as normal with the account holder.

Yet all the while, an attacker might be sitting in the middle, manipulating what both legitimate parties see at either end of the interaction. For example, when the user initiates a transfer, the attacker could change the account details of the money’s destination, or even the value of the transaction itself.  They might also divert the funds to a mule account. And neither the bank or the user notice that anything is wrong until it’s too late.


Examples of a ‘social’ Remote Access Trojan attack

Users are typically duped into downloading malware through social engineering techniques. For example, a fraudster might:

  • send an email to a victim from what appears to be a well-known and reputable company; the message will include a link or attachment which the user clicks on or opens, thereby downloading a RAT – this is an example of a spear-phishing attack
  • phone up a user posing as a representative of their bank, and claim they need the customer to download a remote access tool and then log in to their bank so the bank can carry out a ‘security check’. Fraudsters often obtain personal information about users beforehand in order to help persuade them that they are genuine
  • even ask particularly unsuspecting victims to turn off their monitor to perform a ‘reboot’, whilst the criminal carries out a fraudulent transaction behind the curtain


How to detect Remote Access Trojans in the act?

As fraudsters evolve their techniques in order to bypass banks’ security, anti-fraud solutions must also evolve in order to keep pace.

Most solutions cannot detect the presence of RATs because they rely on traditional security measures such as fingerprint validation or device authentication.

Since Remote Access Trojans hide in plain sight on the user’s legitimate device – and it is still the legitimate user who is operating the device – banks need a multi-layered approach to security if they are to counteract RATs and RATs-in-the-Browser successfully.

In addition to this, two-factor authentication (a stalwart of new regulation PSD2) offers limited protection, at least when it comes to RATs. For example, if the bank asks the attacker for an OTP (One Time Passcode) whilst they attempt a fraudulent transaction, they can sneakily use the legit user’s suspended session to procure it via the victim themselves.


Behavioral biometrics is widely recognized as being the only cybersecurity capability with the ability to detect and subsequently thwart Remote Access Trojans attacks.

This is because, as well as validating the known user device, biometrics also analyzes the user’s behavior and cognitive functions without interfering with the user experience itself.

It can dynamically profile the user behind the device using advanced machine learning algorithms to identify their unique behavioral biometric characteristics.

Through learning these behavior patterns – detecting anomalies in their mouse trajectory, suspicious keyboard use or delay in the device controlling the computer  – advanced behavioral biometrics can flag unexpected changes in behavior that occur mid-session – however slight or temporary.

These vital clues could signal a possible Remote Access Trojan infiltration or Account Takeover (ATO) attempt.


Alán Alcoverro

Alán is a Solutions Architect at Revelock. With over 12 years of professional experience acting as a Solutions Engineer / PreSales in companies such as IBM, SCC, Allot Communications and Riverbed, he owns a transversal and integrated view of the IT world and all the digital challenges this implies for any company size, being Cybersecurity his main focus along the way. He is the main contact person for all technical items related with our Revelock online fraud prevention solution, for both current and future customers, generating at the same time new business opportunities within the EMEA region whilst offering highly efficient solutions for all challenges we face every single day related with cybercrime.