Remote Access Trojan

A tool used to enable criminals to connect to a victim's machine remotely and perform a number of unauthorised actions.


A RAT can allow attackers to access all files, features of your computer (e.g. microphone/webcam), and even use your computer to distribute malicious software to other devices. Recently, criminals have also used RATs to install cryptomining software, which then uses a device's processing power to generate cryptocurrency.

Remote access tools are used legitimately by IT professionals to perform maintenance on devices. However, the type of tools used to gain unauthorised access on victims' devices are often designed to aid malicious intent. For example, these tools do not request permission on the accessed device. They tend not to notify a user that the service is running, and any command interfaces are generally hidden.

Advice

Signs of a RAT on your system include a slow internet connection, unknown processes running on your systems, and files that have been modified/deleted/installed without permission. Here is some advice to protect against this type of attack:

Updates
Make sure that software and operating systems on your computers/laptops/phones/tablets/IoT devices are updated with the latest security patches.

Antivirus
MInstall reliable antivirus software, and keep this updated!

Firewalls
Firewalls act as a filter for malicious traffic. Make sure that you them set up and configured correctly (ask your IT provider if you're not responsible for this).

Phishing
Always be careful when being asked to click on links or downloading attachments from emails/websites/social media. There's usually a way to get you whatever it is you need without clicking or downloading something. If there isn't, then be positive that the source of the request is trusted. NCSC Phishing advice.

If you suspect that you have been infected with a RAT, here's what to do:

Disconnect your device from the network in order to prevent further malicious activity

Run a full security scan of your devices and remove the threats by following the recommended steps from the security software.

Once you believe that the infection has been removed, change the passwords for your online accounts and check any financial activity. If there is any unusual banking activity, inform your bank.

Report the incident to Action Fraud (0300 123 2040 / https://www.actionfraud.police.uk. Reporting helps build intelligence for law enforcement, which can aid investigations as well as informational campaigns to prevent others from becoming victims.

By using this website you agree to our use of cookies to enhance your experience. I understand