Rogue Raticate | |
Other Names | RATicate |
Date of initial activity | 2019 |
Suspected Attribution | Cybercriminals |
Motivation | Financial Gain |
Associated Tools | NetSupport RAT |
Software | Windows |
Overview
Rogue Raticate, also known in the cybersecurity community as RATicate, is a prominent cybercriminal group recognized for its advanced and persistent tactics in targeting enterprises. Active for several years, Rogue Raticate has established a reputation for employing sophisticated malspam campaigns that leverage malicious emails to deploy Remote Access Trojans (RATs). The group’s operations are characterized by a high level of technical expertise and a keen understanding of social engineering, which they use to exploit human vulnerabilities and gain unauthorized access to sensitive systems.
At the core of Rogue Raticate’s modus operandi is the distribution of malicious email attachments that often masquerade as legitimate documents or notifications. The group’s recent campaigns have prominently featured malicious PDFs that, when opened, lead to the installation of the NetSupport RAT. This tool grants attackers extensive remote control capabilities over the infected machines, allowing them to conduct a range of malicious activities, including data exfiltration and system manipulation. The use of socially engineered email lures, such as deceptive OneDrive and Adobe-related templates, further underscores the group’s adeptness at crafting convincing phishing schemes.
Rogue Raticate’s tactics reflect a calculated approach to cybercrime, where they employ a Traffic Distribution System (TDS) to obfuscate their malicious activities and enhance the effectiveness of their attacks. This sophisticated method allows them to manage the delivery and execution of their payloads with precision, making it more challenging for traditional security measures to detect and prevent their threats.
Common Targets
Individuals
Attack vectors
Phishing
Web Browsing
How they work
At the heart of Rogue Raticate’s operations is their use of phishing as the primary method for gaining initial access. The group crafts convincing phishing emails that typically include malicious PDF attachments. These PDFs, disguised under innocuous filenames such as “unpaid-7985652547.pdf” or “Paper-2445311685.pdf,” contain links that lead victims to malicious websites. The URLs are often delivered via a Traffic Distribution System (TDS), which is designed to manage and direct traffic to various parts of the attack infrastructure, ensuring that the malicious payload reaches the intended targets effectively.
Upon clicking the link in the phishing email, the user is redirected to a site that downloads and executes the NetSupport Remote Access Tool (RAT). This tool is a versatile remote administration software that Rogue Raticate repurposes for malicious activities. Once installed, the NetSupport RAT allows the attackers to gain full control over the compromised machine. This includes the ability to monitor user activity, exfiltrate sensitive data, and manipulate system configurations.
To ensure the persistence of their malware, Rogue Raticate employs various techniques. One common method involves creating or modifying system processes to ensure that the NetSupport RAT remains active even after a system reboot. This could involve altering registry entries or creating new system services to keep the RAT operational. Additionally, the attackers might use obfuscation techniques to hide their malicious code within the PDF files or the RAT itself, making it harder for traditional security solutions to detect and remove their malware.
Privilege escalation is another crucial aspect of Rogue Raticate’s strategy. If the RAT requires higher-level access to perform its functions more effectively, it may exploit known vulnerabilities in the target system. This process allows the malware to gain additional permissions, which can be used to bypass security controls and increase its impact.
In terms of command and control (C2), the NetSupport RAT communicates with its C2 servers using standard web protocols. This communication is often encrypted or disguised to blend in with legitimate traffic, making it challenging for network defenses to detect unauthorized activities. This stealthy approach helps the attackers maintain control over the compromised systems while minimizing the risk of detection.
Finally, Rogue Raticate’s operations may involve data exfiltration over web services, using HTTP or HTTPS to transfer stolen data back to their servers. This technique ensures that the data is transmitted in a manner that appears legitimate and reduces the likelihood of detection by network monitoring tools.
Overall, Rogue Raticate’s technical operation demonstrates a sophisticated approach to cyberattacks, combining social engineering, technical exploitation, and stealth tactics to compromise and control target systems. Organizations must employ robust security measures, including advanced email filtering, regular software updates, and comprehensive threat monitoring, to defend against such multifaceted threats.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): Rogue Raticate uses phishing emails with malicious attachments or links to deliver their payload. Social engineering tactics in the emails lure victims into opening PDFs that lead to malware installation.
Execution
User Execution (T1203): The group relies on users opening malicious PDF files to trigger the download and execution of the NetSupport RAT. This technique depends on users being deceived by social engineering.
Persistence
Create or Modify System Process (T1543): The NetSupport RAT may establish persistence on the infected system by creating or modifying system processes or registry entries to ensure it remains active even after a reboot.
Privilege Escalation
Exploitation for Privilege Escalation (T1068): If the RAT needs to elevate its privileges, it may exploit vulnerabilities in the system to gain higher-level access.
Defense Evasion
Obfuscated Files or Information (T1027): Rogue Raticate might use obfuscation techniques to hide the malicious content of the PDFs or the RAT itself to evade detection by security solutions.
Indicator Removal on Host (T1070): The group could employ methods to remove or alter indicators of compromise (IOCs) on the infected host to avoid detection and removal.
Command and Control
Command and Control over Web Protocols (T1071): NetSupport RAT communicates with the attacker’s command and control servers using web protocols, which can blend in with legitimate traffic and evade network monitoring.
Exfiltration
Exfiltration Over Web Service (T1041): The RAT might use web-based services to exfiltrate data from the compromised system, such as sending stolen data to remote servers over HTTP or HTTPS.
Impact
Data Manipulation (T1565): Depending on the attacker’s goals, the RAT could be used to manipulate or exfiltrate sensitive data, impacting the organization’s operations and security posture.