Researchers discover morphed RATs capable of DDoS, phone log manipulation

As quickly as researchers discover ways to remove and block Remote Access Trojans used for spying on mobile devices and computers, hackers are creating new spyware strains from previously discovered malware - and they are developing more advanced capabilities than the original malware.

Hackers creating new spyware strains of Remote Access Trojans for spying on mobile devices and computers
Hackers creating new spyware strains of Remote Access Trojans for spying on mobile devices and computers

As quickly as researchers discover ways to remove and block Remote Access Trojans (RAT) used for spying on mobile devices and computers, hackers are creating new spyware strains from previously discovered malware – and they are developing more advanced capabilities than the original malware.

Most recently, Egyptian hackers used the njRAT spyware exploit kit to create KilerRat, a new remote access tool (RAT) that targets the Windows operating system and allows the attacker to take over control of Windows computers.

The attackers can remotely delete, edit, and rename files or folders; view the webcam of infected computers; monitor key logging on infected computers; and collect stored passwords in the computers' browsers. The malware can also use the infected computers as a proxy for network traffic, enabling DDOS attacks, and convert .exe files to jpg, score, mp3, wav, txt mp4 or flv files. As a result, it is more difficult to identify computers that have been infected with the malware.

In a blog post, AlienVault researcher Peter Ewane wrote that many antivirus tools “had a difficult time” detecting the malware at the time of the release.

Speaking with SCMagazine.com, Ewane said the latest variant of njrat transformed the program from mere spyware to a robust strain of malware that is capable of launching DDOS attacks. He said the malware appears to be the creation of an organisation-sponsored hacker.

The hacker, who took no pains to keep his identity anonymous, goes by the name Ahmed Ibrahim and links directly from the malware's about page to his active Facebook profile, where he describes himself as a “ProFessional Programmer.”

Earlier this month, researchers at Fidelis Cybersecurity identified JSocket, a remote access tool that allows attackers to control Apple and Android mobile devices. According to senior threat researcher John Bambenek, JSocket was built using the basic framework of AlienSpy and was built by the same malware creator.

Bambenek told SCMagazine.com the company that makes the JSocket has tried to position itself as a legitimate software creator, but added, “I can't imagine what a legitimate use case would be.” The features include, for example, an ability to manipulate the call log on a mobile phone remotely.

AlienSpy is the RAT found on the phone of Alberto Nisman, an Argentinian prosecutor who was found dead just a day before he was scheduled to appear before Argentina's Congress to deliver testimony accusing the country's president of trying to cover up alleged Iranian involvement in the deadly bombing of a community center in 1994.

Last month, a British man was convicted of using the Blackshades, another spyware programme, to control the webcams of infected computers and spy on people having sex.