To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild Brown Farinholt † , Mohammad Rezaeirad ‡ , Paul Pearce § , Hitesh Dharmdasani ¶ , Haikuo Yin † Stevens Le Blond ‖ , Damon McCoy †† , Kirill Levchenko † † University of California, San Diego ‡ George Mason University § University of California, Berkeley ¶ Informant Networks ‖ EPFL and MPI-SWS †† New York University Abstract—Remote Access Trojans (RATs) give remote attack- ers interactive control over a compromised machine. Unlike large- scale malware such as botnets, a RAT is controlled individually by a human operator interacting with the compromised machine remotely. The versatility of RATs makes them attractive to actors of all levels of sophistication: they’ve been used for espionage, information theft, voyeurism and extortion. Despite their increas- ing use, there are still major gaps in our understanding of RATs and their operators, including motives, intentions, procedures, and weak points where defenses might be most effective. In this work we study the use of DarkComet, a popular commercial RAT. We collected 19,109 samples of DarkComet malware found in the wild, and in the course of two, several- week-long experiments, ran as many samples as possible in our honeypot environment. By monitoring a sample’s behavior in our system, we are able to reconstruct the sequence of operator actions, giving us a unique view into operator behavior. We report on the results of 2,747 interactive sessions captured in the course of the experiment. During these sessions operators frequently attempted to interact with victims via remote desktop, to capture video, audio, and keystrokes, and to exfiltrate files and credentials. To our knowledge, we are the first large-scale systematic study of RAT use. I. I NTRODUCTION Recent events indicate that malware usage has started to shift from large-scale threats like botnets to lower-volume threats designed to spy on specific users or systems (e.g. [10], [20], [35], [51]). In a botnet, each machine is an indistinguishable bundle of resources. Though imposing in size, the use of botnets was banal—spamming, click fraud, and the like. Low-volume threats, on the other hand, aim to extract something of greater value from each infection. In this regime, the preferred tool for exploiting individual infections is a RAT (Remote Access Trojan or Remote Administration Tool), malware that gives a human user interactive remote access to an infected machine. Because of their great flexibility, RATs have been used by a broad range of actors. For example, intelligence agencies and governments use RATs to spy on dissidents, journalists, and other governments [10], [35], [51]; while voyeurs use these tools to spy on victims, collecting pictures stored on the computer, capturing live webcam images, and recording audio [17], [20]. The latter’s intentions range from pure voyeurism to extortion and blackmail, with victims from celebrities like Miss Teen USA [20] to countless unnamed users worldwide. The subject of this work is the behavior of amateur RAT operators in newly infected machines. Though use of RATs is well documented, knowledge of how they are used by these actors is limited. Indeed, studying RATs presents its unique challenges. The first of these is procuring fresh malware samples that are still in operation. In practice, low-volume malware typically does not have the same broad distribution as, say, a botnet executable. An attacker often infects the intended victims by sending them an email message with a malicious attachment or luring them to a Web page that exploits a browser vulnerability. To obtain such samples, researchers must obtain them from victims or a vantage point between attackers and victims, and before they cease operating. We obtain our samples from VirusTotal [24], an online virus scanner. VirusTotal is often used to check a suspicious file or URL received via email, social media, etc., and thus provides a unique vantage point for studying low-volume malware. For example, recent related work leveraged VirusTotal to measure and analyze malicious documents employed in targeted attacks against two ethnic groups and 12 countries spanning three continents [32]. In this work, we show that we can rely on VirusTotal to collect fresh RAT samples and leverage con- trollers’ aliveness to monitor them while they are in operation. The second challenge in studying RATs is monitoring what the attacker does when connected. Attackers expect a successful infection to give them access to a victim’s computer. Preliminary experiments showed that executing a RAT in a typical VM used to study malware may lure the attacker to connect, but will quickly give away the setup when examined more closely. To elicit natural behavior, we disguised our machines as real users’ PCs, suitably personalized, though not linked to a real user. Finally, we need to capture the activity of the RAT operators to reliably reconstruct their behaviors. In this work, we obtained 19,109 samples of DarkComet, a popular RAT used by threat actors of all levels of sophisti- cation. In most cases, our sample was the result of running a dropper executable that may have been dropped itself. Based on the primary infection vectors, at least some of the instances appear to be genuine attempts to infect a victim. We took each sample we obtained, ran it in a Cuckoo sandbox [25], and recorded all commands issued to the RAT by the controller. We then used the data collected to reconstruct the behavior of the operator in our system and carry out our analysis. 2017 IEEE Symposium on Security and Privacy © 2017, Brown Farinholt. Under license to IEEE. DOI 10.1109/SP.2017.48 770