SAN FRANCISCO – Remote access trojans (RATs) can be a scourge for corporate systems, giving backdoor access to cybercriminals that are looking to carry out espionage activities, do recon for future phishing efforts, or lift data to sell on the underground. They often serve as a key pivot point to access information laterally within an enterprise network as well.
In a report due out on March 14, Recorded Future’s Insikt Group used information from a joint Recorded Future and Shodan Malware Hunter project and the Recorded Future platform to identify active malware controllers. They looked at 14 malware families between December 2 and January 9 and profiled RAT communications from third-party organizations to the controllers.
According to John TerBush, senior threat researcher with Recorded Future, the analysts were interested to learn that the majority of Emotet controllers resolved to IPs in Latin American countries. The threat actors behind the infamous malware (which has evolved from its beginnings as a banking trojan into a full-service threat delivery service) are surging in the region, targeting an array of sectors, from automotive to finance and retail to technology, he said.
Infected xTremeRAT victims meanwhile were mainly in Asia, with other infections detected in the Middle East and Europe. xTremeRAT has been around for a while, and is best-known as a data-stealer that targets government and multinational entities.
Threatpost talked to TerBush at this week’s RSA Conference 2019 about the report, and about his background as a private investigator before he became a cyber-threat hunter.
** What follows is a transcript of the interview **
Tara Seals: Hi there. I’m Tara Seals, senior editor at Threatpost, and I’m here with John TerBush, the senior threat researcher with Recorded Future.
Tara Seals: Welcome John. How are you?
John TerBush: Hi Tara. I’m well.
Tara Seals: Thanks for joining us here. I appreciate it.
Tara Seals: I heard that you guys have some research coming out next week that’s going to be pretty interesting, so we wanted to talk to you a little bit about that.
John TerBush: Yes. Basically we have evaluated some command-and-control servers (C2s) for multiple malware types. We focused on three: xTremeRAT and Emotet and ZeroAccess; and we’ve examined NetFlow metadata from network traffic to determine first the connections between the various malicious servers, but also more specifically we’re looking at who they’re connecting to. We can identify companies or organizations with malicious installs on their systems and correlate all that information, feed it into our new third-party risk offering, and basically also analyze a little bit more. For example, we found that Emotet was definitely targeting some Latin American organizations in December and January.
Tara Seals: In terms of some of the more prevalent RATs that you’ve found, I had scanned the research and it looks as though you narrowed it down to a few different threats that are more active than others. So, anything that leaps out there that’s worth mentioning?
John TerBush: Definitely — and Emotet is not a RAT specifically, but it’s a very prevalent malware and we included that in our analysis. But xTremeRAT, for example, is a commodity RAT, and we see that a lot of different actors are going to be using that. Attribution’s a problem there. But we can definitely look at who the targets are, who’s getting phished, who’s getting delivered this malware and what, if anything, that means.
Tara Seals: Was it surprising that most of the targets are in Latin America that you were able to uncover?
John TerBush: That was for Emotet specifically. The others we found more targeting in Asia, both the Near East as well as South and Far East Asia. For Emotet though, it appeared that they had a campaign going on at the time period that we were sampling, and they definitely were targeting Latin American countries.
Tara Seals: That’s interesting. So if you take a look at the trends that pop out from the research, is there anything else that’s worth noting in there that we haven’t discussed?
John TerBush: Well, for example, with Emotet, we found that they have a distributed command-and-control system. So you would have certain C2s that are in a network, and there are nodes connecting them, but then there are separate networks. So there was one large network that would seem to be the one that most of the Latin American installs were connecting with. And they could have various reasons for doing this, but they definitely use a structure where it’s not one giant network of C2s where all of the nodes are talking to specific systems; they are separated, so if you have one infection on this system, it’s not speaking to the whole network.
Tara Seals: Okay. So, shifting gears a little bit, I had noticed that you have a background in private investigation and undercover work in law enforcement. So I thought it would be interesting for our viewers, if you wanted to tell us a little bit and connect the dots a little bit in terms of being a cyber-threat hunter and how you can bring your previous experience to bear on that.
John TerBush: Sure, sure. Not in law enforcement actually, but a private investigator, doing research. Honestly, there’s a lot of the same things that you do as an investigator in the physical world, right? Doing surveillance or going and speaking to witnesses and collecting information — you also are going to do that as a cyber-investigator or a researcher. So, a lot of those things that I learned in a completely not-cyber area are still very applicable.
Tara Seals: Right. Crime is crime.
John TerBush: Yeah. Crime is crime. Criminals are trying to make money. They’re trying to do it as efficiently and easily as possible without creating problems for themselves. And it’s just tracking down what they’re doing, getting into their mindsets and that sort of thing.
Tara Seals: Okay. Got It. Well, if we come back to RSA next year — and you know we will, — do you think that the threat landscape is going to have moved on very much from where we are now? Are there any trends looming on the horizon that we should keep our eyes on?
John TerBush: Gosh, I don’t see any great shift, really.
Tara Seals: More of the same?
John TerBush: It’s more of the same. We’re seeing a bit less ransomware now then I think we have in the past. It’s still very prevalent. You’re going to have various threat actors that are still either trying to make money or trying to collect that information, that intelligence, or cause problems to their perceived enemies. And that’s not changing anytime soon.
Tara Seals: Well, we’ll leave it there. John, thank you so much for your time, I appreciate it. Thank you for joining us at Threatpost. Again, I’m Tara Seals with Threat Post, and this is John TerBush with Recorded Future. Thank you, John.
John TerBush: Thank you very much.