If ever there was an example of how a relatively unskilled hacker can use off-the-shelf malware and sustain an undetected attack for years it must surely be the actions of a miscreant who was recently targeting the aviation sector.

The attack, based around a spear phishing campaign that focused on aviation and travel operation employees, delivered a remote action trojan (RAT) leaving organizations vulnerable to an array of security risks.
  • RATs are usually injected on a system or a network without the knowledge of the user via an e-mail attachment, a link to external applications and so on.
  • After the target system is compromised, RATs can spread to other exposed computers, establishing a botnet.
  • Once RAT software is in a system, the attacker can do anything on the computer such as taking pictures of the screens, switching on the system’s webcam, tracking user’s behaviour and activities.
  • This can include launching spyware, obtaining confidential information such as card details, PIN, passwords, and other proof of identities, spreading viruses and other malware, formatting hard-drives, deleting, copying, changing, or downloading files.
Sometimes RATs are launched as a mass phishing campaign aiming to exploit as many computers as possible. In the case of this specific attack the hacker targeted selected individuals with an email that contained PDF files which linked to the RAT.

The attacker though wasn’t technically sophisticated, rather he/she used off-the-shelf malware and crypters bought in hacker online forums.  Crypters enabled the RAT malware to stay undetected.
  • Put simply a crypter is a type of software that can encrypt, hide, and manipulate malware, to make it harder to detect by security programs. It is used by cybercriminals to create malware that can bypass security programs by presenting itself as a harmless program until it gets installed.
 
The striking thing about the attack, apart from remaining undetected for nearly three years, is that the hacker wasn’t a sophisticated actor, with a degree level and above education in computer science, which is what you expect in this type of attack.Rather the use of ‘standard’ malware reveals someone who simply knows how to launch attacks.
 
Of course it also raises issues about cyber security in the organisations that were targeted and levels of awareness among the targets. It also reveals how malware is an ‘ever present danger.’
 
Fortunately for BullGuard customers they are protected by the best levels of security available such as advanced dynamic machine learning. This self-learning component of BullGuard security is always scanning for and learning about new types of malicious code and then automatically applying its new malware findings to customer’s protection so they are always safeguarded against the latest threats.