Home Malware Programs Remote Administration Tools DestroyRAT

DestroyRAT

Posted: November 2, 2013

Part of a line of Trojans used for corporate and government espionage, the DestroyRAT is a Trojan including all the standard capabilities needed for third parties to control an infected PC from a remote server. Besides these features, the DestroyRAT also may install new threats that represent other security risks, and may be installed by specialized Trojan droppers embedded in fake documents for Microsoft Office. Because DestroyRAT may use semi-sophisticated means to hide its components, deleting a DestroyRAT with anything other than proper anti-malware software is not advised by malware researchers.

The Little RAT in Your E-mail Messages

The DestroyRAT is one of the many cases of a backdoor Trojan used as a spearhead in against non-profit organizations, international companies like Google and even, in some cases, governments and their contractors. Although its most thoroughly-analyzed campaigns have been in Asia, the DestroyRAT and similar threats also are seen in meaningful attacks throughout Europe and America. Most of these incidents involved e-mail messages with disguised Trojans, bearing the file names of Excel spreadsheets or Word documents. Opening the files launched various vulnerabilities to allow the installation of the DestroyRAT, although many companies later released patches to close these bugs.

Outside of its somewhat illustrious history, the DestroyRAT is a backdoor Trojan that includes standard attack functionality. As is implied by its name (a Remote Administration Trojan), the DestroyRAT makes contact with its remote server through a random network port. From this server, third parties may issue general commands, install new software (including other Trojans or RATs, such as PoisonIvy) or collect data. In some cases, a DestroyRAT may be a mere mid-point in an attack effort, prior to the threat authors achieving full analysis of a compromised PC, but after achieving threat permanency.

Destroying a Destroyer of PC Security in Turn

Among English publications, PlugX is the DestroyRAT's most widely-used alias, but others, including Sogu and Kaba, also abound. This proliferation of aliases partially is due to the behavior of Axiom, a Chinese hacker group that regularly updates and re-releases variants of its old Trojans. Other threats also related to the group responsible for the DestroyRAT include Mdmbot, Deputy Dog, Darkmoon, My Door and Derusbi. Most of these threats also include similar payloads to the DestroyRAT, and occupy a point in their respective attack campaigns heavily reminiscent of this backdoor Trojan's role.

Ordinary e-mail safety procedures are effective stopping points for many known distribution methods of the DestroyRAT. If prevention should fail to make a difference, you should resort to anti-malware solutions capable of deleting a DestroyRAT along with other threatening software, up to and inclusive of rootkits. Even with the successful disinfection of a compromised machine, you also may need to take additional steps to secure information that could transfer to unsafe hands during the infection's lifespan.

Loading...