RAT Ecosystem Measurement:
In this work, we design, implement, and deploy improved methodologies for accurately measuring real victims that connect to our sinkhole, RAT-Hole, and identifying RAT controllers using our scanner, RAT-Scan. The task of identifying victims at scale is made difficult by the amount of pollution sinkholes receive from increasingly high-fidelity scanners and sandboxes. Differentiating between real controllers and sinkholes is also a nontrivial undertaking due to higher fidelity sinkholes. This increasing fidelity in RAT scanners that emulate more of a victim’s behavior and sinkholes that emulate more of a real RAT controller’s protocol has likely created an arms-race between entangled threat intelligence operations which we call Intelligence Pollution. This leads to inaccurate measurements and wasted notification efforts, wherein researchers and security vendors may confuse beneficent sinkholes for malicious controllers, or scanners and sandboxes for actual victims.
RAT Operators Behavioral Study:
This project aimed to shed a light on DarkComet RAT operators from the behavioral perspective. This includes, operator life cycle and motivation when engaged with a victim machine.
In this work we study the use of DarkComet, a popular
commercial RAT. We collected 19,109 samples of DarkComet
malware found in the wild, and in the course of two, severalweek-long
experiments, ran as many samples as possible in our
honeypot environment. By monitoring a sample’s behavior in
our system, we are able to reconstruct the sequence of operator
actions, giving us a unique view into operator behavior. We
report on the results of 2,747 interactive sessions captured in
the course of the experiment. During these sessions operators
frequently attempted to interact with victims via remote desktop,
to capture video, audio, and keystrokes, and to exfiltrate files
and credentials. To our knowledge, we are the first large-scale
systematic study of RAT use.
IVI Security Assessment and Analysis:
In this project, we performed a comprehensive security analysis on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer. We documented and demonstrated insecurities in the MirrorLink protocol
and IVI implementation that could potentially enable an attacker with control of a driver’s smartphone to send malicious messages on the vehicle’s internal network. This work was funded by General Motors and DHS.